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Preface 



This volume contains a number of revised papers that were selected from pa- 
pers presented at the last ModelAge workshop held in Certosa di Pertignano 
(Italy) in 1997, organised by the Institute of Psychology of the Italian CNR 
(IP-CNR), Division of Artificial Intelligence, Cognitive Modeling and Interac- 
tion. The organisation chair was held by Amedeo Cesta. The workshop, and 
indeed the ModelAge project as a whole, aimed to bring together a number 
of researchers stemming from different disciplines to discuss formal models of 
agency from different perspectives. These disciplines included artificial intelli- 
gence, software engineering, applied logic, databases, and organisation theory. 
The field of intelligent agents has become an important research area within 
these disciplines, and in the workshop as in the present volume the concept of 
agency is thus considered from a multi-disciplinary perspective. 

In the introductory chapter of this volume more can be found on the area 
of intelligent agents as well as on the topic of formal models of these. We fur- 
thermore provide some key references, so that the reader can better appreciate 
the position of the present volume within the literature on agent technology. 
Moreover, we briefly describe the ModelAge project which was an ESPRIT- 
funded Basic Research Working Group dedicated to the study of formal models 
of agents, and one may And the details of the organisation of the workshop 
here. Finally in this chapter we give a detailed overview of the contents of this 
book from which we hope you will get an impression of the deliberately multi- 
disciplinary approach that is taken. 

Finally, we would like to take this opportunity to thank all the persons in- 
volved in the realisation of this book: authors, PC members, additional review- 
ers, the organisers and audience of the ModelAge workshop, and the people from 
Springer- Verlag . 



November 1999 



John- Jules Meyer 
Pierre-Yves Schobbens 
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1 Intelligent Agents 

Although in philosophical literature the notion of an agent as a cognitive subject 
has been around for a long time, in the last decade or so the area of ‘Intelligent 
Agents’ has also become a major area of research within artificial intelligence 
and computer science, an area with a big promise as there are a myriad of possi- 
ble applications (see e.g. [4]). As might be expected, within the latter areas the 
concept of an agent generally has a more technical meaning, although there is no 
general consensus on its definition. But mostly by an agent is meant a (software 
or hardware) entity that has some degree of autonomy, which typically comes 
down to displaying reactive and/or proactive behaviour (that is to say that the 
agent is capable of reacting to its environment and taking initiative, independent 
of the user, respectively), might possess reasoning and learning capabilities, and 
is able to communicate in some intelligent way with other agents. Sometimes 
agents are ascribed ‘mental attributes’ such as a mental state comprising knowl- 
edge, belief. Whether these mental attributes are merely metaphorical (i.e. a 
convenient means of describing agents) or ‘real’ in the sense that these artificial 
agents possess some ‘truly cognitive’ capabilities like human or, to a lesser ex- 
tent, animal agents do, is of course a matter of philosophical debate but also a 
question depending to a large extent on the application one has in mind. 

One view of agents that is very ‘computational’ is that of viewing agents 
as the next step in programming as a successor of the popular object-oriented 
programming paradigm. Although objects already display some form of ‘auton- 
omy’ in the sense that they have their own datatypes and methods which can 
be called by other objects, agents are rather to be considered as ‘subjects’, pos- 
sessing their own ontology (signature), their own knowledge / beliefs about their 
environment (possibly including themselves if they have reflective capabilities) 
and their own goals to achieve. Moreover, communicating is much less a matter 
of just invoking a method of another agent, but rather asking questions to other 
agents which these other agents may (or may not) handle in their own way. 

Of course, these matters can also be viewed from a more cognitive perspec- 
tive. (Some researchers like to include human agents into their conception of 
an agent, and consider ‘mixed’ systems of human and artificial agents.) One can 



J.-J. Ch. Meyer, P.-Y. Schobbens (Eds.): Formal Methods of Agents, LNAI 1760, pp. 1-7, 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 




2 



John-Jules Ch. Meyer and Pierre-Yves Schobbens 



then look at agents at the ‘micro’ level: their internal make-up, possibly described 
in terms of mental states (comprising knowledge, beliefs, intentions, etc.), and 
at the ‘macro’ level: external and ‘social’ behaviour (including communication, 
co-ordination, co-operation). 

It is important to stress that the area of intelligent agents is truly multi- 
disciplinary. Clearly the area has a big overlap with contemporary AI. Some 
feel that agent-based systems are the next generation of the information-based 
and knowledge-based (expert) systems from the 80’s. In any case one can read- 
ily agree that agent systems are a new generation of intelligent systems, and 
as such part of the AI research programme. As we saw above agent-oriented 
programming can also be viewed as a new programming paradigm in computer 
science, more in general. And, as we have also briefly mentioned, traditionally 
there are influences from (analytical) philosophy. Many writings by (mostly 20th 
century) philosophers on the nature of ‘action’ are relevant for the held of ‘intel- 
ligent agents’. Finally, also cognitive and social scientists show a great interest in 
agents, in particular systems in which multiple agents are present, the so-called 
multi-agent systems (MAS). Their interest includes how agent societies develop 
and employ norms to govern / constrain their behaviour. 

There has arisen a great deal of literature on the topic of intelligent agents. 
Many papers deal with the practical issue of designing and building them for 
particular applications such as agents for assisting users of the internet. See, 
for example, the Proceedings of the Autonomous Agents and PA AM (Practi- 
cal Application of Intelligent Agents and Multi- Agent Technology) Conferences, 
where many researchers exchange their views on how to address these appli- 
cations. More theoretical are the MAAMAW (e.g. [1]) and ICMAS conferences 
on Multi-Agent Systems (e.g. [2]), and particularly the series of books entitled 
“Intelligent Agents” in the Springer Lecture Notes in AI [8,10,9,7,5], based on 
the proceedings of the ATAL workshops (“Agent Theories, Architectures, and 
Languages”). 

2 Formal Models 

Formal models are a tool to arrive at unambiguous and precise meanings of con- 
cepts. They may comprise a well-defined language with a precise, mathematical 
semantics in terms of set theory, for example. Also one may think of some ax- 
iomatic system (logic) that lays down the exact meanings of the terms of the 
logic by postulates / axioms. Since the held of agents is ‘exploding’ in many 
directions, it seems very reasonable to strive for a (common) formal model on 
which there is some consensus among the various researchers (stemming from 
different disciplines). 

However, the need for formal models goes beyond the mere understanding of 
the subject of intelligent agents (although of course this is very important, too)! 
As with traditional software, in order to design and implement agent systems 
it would be very advantageous to have some formal means of describing and 
specifying the behaviour of these systems. For this reason, too, formal models of 
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agency are called for. One might, for instance, think of a logical calculus with a 
well-defined semantics that describes the agent’s (mental and social) attitudes. 
To do justice to the idea of multidisciplinarity of agents and agent research as 
we have discussed above it is important to view agents from several perspectives 
which will naturally lead to the use of formal models of different nature. To 
treat the different aspects of agency adequately it appeared that many theories 
have to be considered and combined: from the theory of reasoning about actions 
and change (a well-known area in AI) to the theory of norms (dealing with the 
social attitudes of agents), from database theory and the theory of concurrent 
computation to principles of software engineering. 

We must mention here the well-known BDI model proposed by Rao and 
Georgeff [6] which has been very influential. The model is based on (branching 
time) temporal logic (CTL*). Agent behaviour is modelled by tree-like struc- 
tures, where each path through such a tree represents a possible ‘life’ of the agent. 
The basic logic containing temporal modalities such as “along every path in the 
future there is some point where” is augmented by means of ‘BDI’-modalities, 
viz. a belief operator BEL, a desire operator GOAL and an intention operator 
INTEND. Thus in this model one is able to express how the beliefs, desires 
and intentions of an agent evolve over time (or rather over possible time lines). 
Formally, Rao and Georgeff’s BDI-model is a formal (modal) logic witha Kripke- 
style semantics and a logical calculus. Rao and Georgeff were especially interested 
in the relationship between the BDI modalities. In their paper they discuss sev- 
eral such possible relations such as Belief-Goal compatibility and Goal-Intention 
compatibility. The former expresses that agents believe that their goals are ob- 
tainable in some future, while the latter states that the agents’ intentions should 
be goals. Rao and Georgeff and other researchers have used their model as an 
inspiration for their work on the realisation of agents. The BDI model have thus 
given rise to BDI architectures where the elements of belief bases, goal bases 
and plan libraries are central. Although these have been applied quite success- 
fully, an as yet ongoing frustration among agent researchers is the gap between 
the formal (BDI) model and the (BDI-based) architectures in the sense that one 
would like to use the former to specify the latter formally and prove formal prop- 
erties about these. But as yet this is not shown to be possible, as the ‘distance’ 
between the two ‘worlds’ is too great. Within the ModelAge project some work 
has been done to give an alternative for the ‘classical’ BDI logic where the basic 
logic is a logic of action (viz. dynamic logic) rather than a temporal logic [3] . It 
appears that in this way the gap can be made smaller, but a formal specification 
of a concrete agent in this logic is still a much wanted desideratum. 



3 The ModelAge Project 

The ModelAge project was an ESPRIT-funded Basic Research Working Group 
(ESPRIT III BRWG 8319) intended to study formal models of (co-operating) 
intelligent agents by means of an multi-disciplinary approach. It ran from 1994 
through 1997. The official title of the project was “A Gommon Formal Model 
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of Cooperating Intelligent Agents” . The project grew out of the realisation that 
the field of ‘intelligent agents’ was expanding rapidly within several (almost) 
disjoint communities with their own set of concepts, techniques and objectives, 
and that some kind of ‘co-ordination’ was necessary. In the project researchers 
participated from the areas of requirements engineering, organisational models, 
software design, concurrency theory, distributed artificial intelligence and (fed- 
erative) databases. 

The consortium consisted of groups from Namur, London (Imperial College), 
Keele, Lisbon, Oslo, Rotterdam, Utrecht / Amsterdam, Rome, Sophia-Antipolis 
(INRIA), Aachen and Braunschweig. The project had special interest groups 
on defeasibility and agent modalities, logics and models of action, interaction 
in organizations, software development process, business and legal applications, 
and on diagnostics, repair and reconfiguration. Apart from meetings of these 
special interest groups there have been four workshops of the project as a whole, 
of which the last one was advertised in a broader context with both PC members 
and presenters (and audience) outside the ModelAge project. 

Although originally the objective of the project was to obtain a common 
formal model of agency using the expertise from the diverse fields above, this 
soon proved to be somewhat too ambitious. However, it is clear that by bringing 
experts together from the above fields in general meetings and workshops as well 
as in special interest groups the project addressed the various ‘faces’ of agency 
and succeeded to stimulate cross-fertilisation among these various fields, and in 
this way has been very successful and stimulating! 



4 About This Book 

4.1 The Workshop 

The present book is the result of the work done within the ModelAge project 
(complemented with some related work done outside the project), and in par- 
ticular that of the last ModelAge Workshop held in Certosa di Pontignano in 
Italy in 1997, and organised by the Institute of Psychology of the Italian CNR 
(IP-CNR). Amedeo Cesta acted as the Organisation chair. The papers have been 
reviewed by an international programme committee in which also well-known re- 
searchers outside the ModelAge project had been invited, assisted by a number 
of additional reviewers. Although the book is not intended to be a complete sur- 
vey of the work accomplished in the ModelAge project, it nevertheless reflects 
the interdisciplinary nature of the project very well. 

The PC consisted of C. Castelfranchi (CNR, Rome), A. Cesta (CNR, Rome), 
R. Dieng (INRIA, Sophia-Antipolis), E. Dubois (Univ. Namur), J. Fiadeiro 
(Univ. Lisbon), A. Jones (Univ. Oslo), H. Levesque (Univ. Toronto), J. My- 
lopoulos (Univ. Toronto), J.-J. Ch. Meyer (Univ. Utrecht), W. Nejdl (Univ. 
Hannover), M. Ryan (Univ. Birmingham), G. Saake (Univ. Magdeburg), P.-Y. 
Schobbens (Univ. Namur, Programme Chair), K. Segerberg (Univ. Uppsala), 
Y.-H. Tan (Univ. Rotterdam), R. Wieringa (Vrije Univ. Amsterdam). The pa- 
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pers are selected from the papers presented at the workshop, which in turn were 
selected on the basis of three independent evaluations by PC members. 

Furthermore, the following persons served as additional reviewers: D. d’Aloisi, 
G. Brewka, J. Carmo, H. Coelho, S. Conrad, R. Conte, M. Been, F.M. Dionisio, 
Ph. Du Bois, V. Englebert, R. Falcone, A. Finkelstein, M. Gertz, S. Guerra, 
W. van der Hoek, J.-M. Jacquet, U. Lipeck, G.-J. Lokhorst, A. Lomuscio, M. 
Miceli, C. Paredes, M. Petit, H. Prakken, A.S. Rao, J.-F. Raskin, J. Scheerder, 
A. Sernadas, A. Sloman, L. van der Torre, C. Tiirker, L Wright, J.-M. Zeippen. 

4.2 Description of the Papers 

We now give a short description of the papers in this volume from which the 
multi-disciplinarity of the subject of agent modelling and the Model Age project 
itself becomes apparent. 

The paper by Stanislaw Ambroszkiewicz and Jan Komar considers rational 
behaviour of agents from a game-theoretic perspective. The desire component 
of a BDFagent (as we have seen above) is represented as the agent’s goal to 
maximize utility. The complete agent model comprises five parts dealing with 
perception, knowledge / belief, rational behaviour, the reasoning process, and 
intention. 

Frances Brazier et al. present a generic model for the internal dynamic be- 
haviour of a BDI agent. For this they employ the compositional multi-agent 
modelling framework DESIRE. Since DESIRE is aimed at the actual implemen- 
tation of agent systems, this paper provides a first step of bridging the above 
mentioned gap between formal agent models (such as the BDI model) and im- 
plementations. 

The contribution of John Bell and Zhisheng Huang deals with an important 
informational attitude of agents, viz. that of coping with their beliefs in situations 
where new information becomes available all the time. They propose an approach 
to belief revision using hierarchies of belief in order to cater for the difference in 
reliance of beliefs. These belief hierarchies themselves are dynamic in the sense 
that they (may) change over time. 

In the paper of Stefan Gonrad et al. the notion of an agent is viewed as 
a further development of the notion of an object in object-oriented program- 
ming. It is used to model the dynamics of information systems more adequately 
than traditional approaches. First steps towards an agent-oriented specification 
framework for this purpose are taken by employing an extended temporal logic. 

Rosaria Gonte et al. discuss in their paper some basic limitations of the use 
of game theory for modelling autonomous agents and multi-agent systems. In 
particular they show that Prisoners’ Dilemma games fall short for modelling 
truly cooperative behaviour. In order to get an adequate theory for cooperation 
it is therefore proposed to also include elements from Al, in particular a theory 
of action and planning. 

In their paper Enrico Denti and Andrea Omicini consider the communication 
and coordination aspects of multi-agent systems (MAS) from a computer science 
point of view. They provide a flexible coordination model based on an extensible 
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coordination medium for a MAS. It is shown how a MAS can be designed around 
the communication abstraction behaviour. 

Frank Dignum also addresses the issue of communication between agents, but 
focuses on the distinctions between ‘global’ and ‘private’ views on communica- 
tion. In the former the MAS is seen as one big system, whereas in the latter view 
each action is ascribed to an individual agent having control over that action. 
The consequences of the two views for agent communication and the agent’s de- 
gree of autonomy are investigated, and a sketch of a formalisation of the model 
in a multi-modal logic is provided. 

Carlos Duarte looks in his paper at communication as well. He proposes a 
logical and, more specifically, a proof-theoretical foundation of the well-known 
actor model, which might be considered as an early computational model of a 
MAS, where the focus is on (rather low-level) communication. His work aims at 
the specification and verification of such actor systems. 

The paper of Barbara Dunin-Keplicz and Anna Radzikowska use techniques 
from theoretical computer science to consider a typical AI problem that is rele- 
vant voor describing intelligent agents, viz. reasoning about (nondeterministic) 
actions with typical effects. They employ the KARO logic developed in the Mod- 
elAge project [3] for reasoning about actions / scenarios and add on top of this 
preferential models which are known from the area of common-sense (nonmono- 
tonic) reasoning. 

Agents typically function in a dynamic environment where circumstances 
change. Bruno Errico addresses the problem of describing the dynamics of an 
agent’s mental attitudes, that is how these attitudes change as the environment 
changes. The attitudes studied concern the agent’s beliefs and goals. His pro- 
posal is based on a well-known (within the area of AI) first-order formalism for 
reasoning about actions, viz. that of the situation calculus. 

Frohlich et al. treat an application of agent systems for the diagnosis of dis- 
tributed technical systems such as computer networks. An agent is assigned to 
each subsystem. The system is implemented by means of the concepts of vivid 
agents (a software-controlled system whose state is represented by a knowledge 
base, and whose behaviour is represented by action / reaction rules) and ex- 
tended logic programming. 

In John-Jules Meyer and Patrick Doherty’s contribution a new approach is 
set out for reasoning about actions. This is an infamous area in AI where there 
are problems like the frame, qualification and the ramification problem having 
to deal with the effects and particularly the non-effects of actions performed 
by some agent. While most proposed solutions regard the rather abstract level 
of logical theories on possible scenarios, here a solution is sought on the more 
concrete and computational level of the semantics (behaviour) of the actions 
themselves. 

Another view of agents is given by Henry Prakken: agents engaged in a 
dispute using argumentations to come to an agreement. Argumentations might 
be defeasible in the sense that when more information becomes available different 
arguments may ‘win’. In this paper a dialectical proof theory is proposed for 
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defeasible argumentation in a setting in which also the priorities that determine 
which arguments are defeated themselves are subject to debate (argumentation) 
and thus are defeasible. 

In the contribution of Leon van der Torre et al. we encounter yet another 
aspect of agent systems. In societies of agents (whether they consist of human 
or artificial agents) norms play an important role to regulate their behaviour. 
Traditionally (some of) these aspects are described by deontic logic in which one 
can reason about norms. In the present paper the authors argue that in order 
to also reason with norms to draw conclusions of how norms affect the agents’ 
behaviour one needs to include elements from the theory of diagnostic reasoning 
and qualitative decision theory. 

More about normative reasoning can be found in the article by Leon van 
der Torre and Yao-Hua Tan. Here a new kind of deontic logic (so-called con- 
textual deontic logic) is proposed in which one can express that something is 
obligatory under some conditions unless something else is the case. The logic 
thus comprises an interesting amalgam of ideas from deontic logic and defeasible 
(default) reasoning. Contextual deontic logic is shown to be useful for treating 
so-called contrary-to-duty obligations, which occur widely in practical situations 
involving norms. 
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Abstract. A model of BDI-agent in game-theoretic framework is pre- 
sented. The desire is represented as agent’s goal to achieve a maximum 
level of utility. A reasoning process based on agent’s rational behavior 
is proposed. This process determines agent’s intention. It is also shown 
how to use the backward induction consistently with the assumption of 
the common knowledge of rationality. 



1 Introduction 

We are going to discuss the following problem: 

How does a rational agent use its knowledge in decision making ? 

Since the problem is general, we put it in a game-theoretic framework. In 
the theory of games, agent’s rationality is understood as a way of maximizing 
the utility of the agent relatively to its knowledge. The knowledge may concern 
the game that is to be played as well as the agents participating in a play. 

The main task of the paper is to model BDI-agent that is supposed to live 
in the world of dynamic games. Agent’s belief is identified with the knowledge 
about the game and about other agents together with a probability distribution. 

The desire is represented as agent’s goal to achieve a maximum level of its 
utility. 

The intentions are determined by some methods that realize this level of 
utility. These methods are called rational behaviors. Bayesian behavior, that 
consists in maximizing the expected utility, may serve as the classical example 
of rational behavior considered in decision theory. 

Let us suppose that agent j is characterized by the following belief Bj, desire 
Dj, and rational behavior Rbj. Thus, according to the rational behavior, agent 
j considers some of its actions as not optimum, relatively to Bj, Dj. The actions 
that are not optimum are removed, so that the initial game is reduced; whereas 
the optimum actions may be regarded as temporal, partial, and individual in- 
tentions of agent j in the reasoning process. 

’’’ Our thanks are due to four anonymous referees for important remarks and sugges- 
tions. The work was supported by KBN Grant 8T11C 03110 
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Now, let us suppose that agent i knows the characteristics (Bj,Dj,Rbj) of 
agent j. Knowing this, agent i can reconstruct the reasoning process of agent j, 
and gets to know, in this way, the optimum actions of agent j, so that also the 
fact that the initial game has been reduced. Knowing that, agent i will use this 
reduced game as a basis to compute its own optimum actions. These optimum 
actions may be considered as temporal, partial, and individual intention of agent 
i in its reasoning process. 

We may suppose that agent j knows the agent i’s characteristics and the fact 
that agent i knows its own characteristics, i.e. (Bj,Dj,Rbj). Then, agent j could 
compute its new knowledge about the game and on the basis of this knowledge 
its new more complete intention. 

Let us note that since no new event occurs, these changes of knowledge and 
intention have nothing to do with revision and updating. It seems that these 
changes should be called knowledge and intention evolution in the reasoning 
process. 

We can not model knowledge evolution in the formalism of Halpern et al. 
[6], because there the agents are supposed to be omniscient (i.e. the perfect 
reasoners), so that all changes are already incorporated in the knowledge. 

As to the formalism introduced by Rao and Georgeff [10], the three notions 
of belief, desire, and intention are defined independently there. So that it seems 
that agent’s intention are considered there as a final result of reasoning process, 
however without giving any reference to a construction of the process. 

The main idea of our paper is that rational behavior may be used to construct 
such reasoning process. For this purpose we divide agent’s knowledge into several 
hierarchical types. We distinguish a special type of knowledge, called ground 
type. This ground type knowledge is exactly the knowledge on which a rational 
behavior depends, i.e. the agent’s action taking is directly dependent on this type 
of knowledge. It is natural to assume that the ground type forms a small part of 
all possible knowledge of the agent. Of course, the agent should be interested in 
having this ground knowledge as precise as possible. So that the agent tries to 
find transformations (logical rules) that transform all its knowledge into ground 
knowledge making it in this way more exact. 

The process of reasoning is defined as a transformation that conveys the 
knowledge from higher types, in the hierarchy, into the lower types and finally 
into the ground type. 

The final ground knowledge is the basis for determining the final intention. 

Similar ideas of knowledge transformations may be found in [7], [13], [14] 
where a special kind of agent rationality is considered, namely Bayesian ratio- 
nality. However, the idea of the ground type is not distinguished explicitly there. 
Moreover, in all the above papers only, a so called, static case is considered, 
that is, agents take actions only once. The dynamic case, where the agents take 
actions many times, is much more complex and causes a number of serious prob- 
lems. One of them is the paradox, see [3], concerning backward induction, (i.e. a 
natural planning method), and common knowledge of the rationality of agents. 
Since these two notions are necessary for planning and reasoning about future, it 




10 



Stanislaw Ambroszkiewicz and Jan Komar 



is impossible to investigate seriously the dynamic multi-agent systems without 
an explanation of the reasons that cause the paradox. 

In order to present briefly the paradox, let us consider the following two 
person game in extensive form. More details can be found in [11,3]. 



1 , 

A 


,1 2 . 

k A 


,1 1 . 

k A 




% 


f % 


f % 


* 1 



(«) (“) (0 



The first move of the game belongs to agent 1. At node 1.1 the agent can 
either continue the game (move right) or end the game (move down) with the 
payoffs: 1 dollar for agent 1, and 0 for agent 2. If agent 1 decides to continue the 
game, then agent 2 finds itself at decision node 2.1 and has to choose between 
right and down. If agent 2 chooses down then the game ends with the payoffs: 0 
for agent 1, and 2 dollars for agent 2. And so on. 

The backward induction with the assumption of common knowledge of agent 

rationality gives f the solution of the game. The reason is as follows. At 



node 1.2 the agent 1, acting rationally, takes move down. Knowing this, agent 2 
at node 2.1 also chooses down as the only rational move. So that knowing these 
both facts, agent 1 at node 1.1, chooses as optimum the move down. 

However, let us consider again agent 2 at node 2.1. According to the back- 
ward induction and the assumption of common knowledge of rationality, agent 2 
should never And itself at the decision node 2.1. If agent 2, in spite of this, does 
And itself at node 2.1, this means that the agent 1 has behaved irrationally at 
node 1.1 choosing right instead of down. This contradicts the assumption of the 
common knowledge of rationality. 

It seems that the reason of the paradox is that agent, say i, can not have 
knowledge about future knowledge of another agent’s (say j) knowledge at some 
future state of the world. If the agent did have such knowledge and this knowledge 
were true, then this would violate the causality principle. The explanation is 
simple: knowing that agent i had such knowledge, agent j would take some 
actions, that would make this future knowledge or this future state of the world 
impossible. 

In the paper we present: 



— a construction of reasoning process that determines agent’s intention, 

— how to convey the dynamic case into so called one-shot case where each 
agent takes action at most once, 

— an explanation of the paradox. 
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These items above will allow to use the backward induction consistently with 
the assumption of the common knowledge of rationality. 

2 Dynamic System 

The dynamic system is supposed to be a world in which the agents live. It 
consists of: 

— the set of global states denoted by 17, with the distinguished state, say 
being the initial state, 

— enumeration of agent’s sites denoted by the set N = {1,2,3, ... , n}, 

— for each site i G N, there is the set of actions Ai from which an agent, 
occupying the site i, may take one action at any (discrete) moment of time, 

— transition function <P : H x Oiew ^ determining the next global state 
of the system given the current state of the system and the actions taken by 
the agents, 

— the duration of the system, say T, being a natural number. 

We assume that the time is discrete and the system is synchronous, i.e. at 
any moment of time t, the agents take actions simultaneously, so that if the 
system state is w and the agents take actions oi, 02 , ... , a„ respectively, then at 
time t + 1 the global state of the system is moved to 
uj' = ai, 02 , ... , o„) according to the transition function. 

Let us introduce some useful notations. Let A = ^ 

o* = (o{, 02 , ... , o(j), denote the actions taken by the agents at time t. 

Let o°, o^, o^, ... ,o‘“^) be called t-run of the system, or a possible history 
by the time t. It is clear that each t- run determines the global states of the 
system at times: 1, 2, ... , t. 

Let 3? be the the set of all T-runs. 

Let r{t) = UJ* denote the global state of the system at time t determined by 
run r. 

Let r{i,t) — cl* denotes the action taken by the agent i at time t in the run 
r. 

For r = (w°, o°, o^, o^, ... , aA) € 3? and t <T, let 

{r,t) — (o;°, o°, o^, o^, ... , 0 *“^). Let (r, t) be called a situation at time t. Let S 
denote the set of all possible situations at times : 1,2, ... , T. 

The dynamic system defined above is abstract and, in fact, describes only 
relations between the system states and actions of the agents. Similar dynamic 
systems are considered in the theory of distributed systems, see [8,9]. 

3 Agent Model 

Let us stress that there are only agent sites in the dynamic system, so that it 
is up to a designer of a MAS to put into these sites specific agent architectures. 
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We are going to outline some aspects of abstract model of an agent that may 
occupy the site i in the dynamic system. 

We distinguish the following five basic parts of this model: (1) Perception, (2) 
Desire, (3) Knowledge and belief, (4) Rational behavior, (5) Reasoning process, 
(6) Intention. 

3.1 Perception 

It is natural that an agent perceives more or less the world in which it lives. 
Since the world is a dynamic system, the complete information about the world 
is contained in the current global state of the system. Hence, agent perception 
should consist in partial information about this global state. What agent per- 
ceives constitutes its local world with its local states. Formally, let Qi denote the 
set of local states of agent i. Then, agent Fs perception is defined as the function 
Ji : fl ^ Qi with the following interpretation. If the current global state is w, 
then agent i perceives qi = Ji{u>) as its local state, i.e. Qi is the current state of 
the (local world of) agent i. Hence, agent i knows only that the true global state 
of the system belongs to the set 

= {w G 12 : Ji{uj) = qi} 

Since each T-run r determines global states of the system at times 
t = 0,l,2, ... ,T, say ... ,u;^, let 

Mr) i (J,(a;°), J,(wi), ... 

denote the sequence of agent i’s local states for run r. Let us notice that Ji{r) 
is the perception record of agent i in the run r. 

3.2 Desire 

The desire of agent i is expressed by aspiration level, denoted by a real number 
Oi, and utility function Ui defined on its perception records, i.e. sequences of 
local states from time t = I to t = T. Formally 

Uj . Qi ^ R, 



where R is the set of real numbers. 

Agent’s desire is to find itself in the local states: qj,q‘^, ■■■ ,qf, (state q\ at 
time t), such that 



,qI) > a*- 

We assume that any agent remembers all his previous local states, so that the 
agent can calculate its utility. This implies that the agents know the global time; 
in game theory it is called perfect recall. We may drop this assumption, however 
then the notations become cumbersome. 
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3.3 Rational Behavior 

If agent wants to maximize its utility, then its behavior leading to this maximiza- 
tion is called rational in game theory. Since there are several kinds of rational 
behavior, like Bayesian, risk aversion, or gambler behavior (see [2]), we introduce 
a general form of agent’s behavior that leads the agent to satisfy its desire. In 
order to define agent behavior, we must define agent decision problems. 

Primitive decision problem of agent i, {pdpi for short), is the following 

pdpi = (Ai, itiaJaieAi), 

where fXai is a probability distribution on the set of the real numbers. 

The interpretation is following: if agent i has to deal with primitive decision 
problem pdpi and takes action Oi then the probability that its utility will be x 
is equal to p,ai{x). So that in this case the agent is not sure about the result of 
its action. 

Let PDPi be the set of all pdpi. Behavior of agent i is defined as Rhi : 
PDPi with the following interpretation. If agent i’s behavior is Rbi, and 

the agent has to deal with pdpi, then the agent considers the actions from the set 
Rbi(pdpi) C Ai as optimal, i.e. satisfying its desire. Usually the desire attributes 
of the agent, ai and Ui, are taken as the parameters of behavior Rbi. 

As an example of rational agent behavior, we may consider so called Bayesian 
behavior defined as follows: Rbi{Ai, (/roJaieT,) is the set of all actions Oj that 
maximize the expected utility 



^ 

x£R 

Sometimes an agent knows only that its primitive decision problem belongs 
to some set S, then it is natural to consider as optimum any action from the set: 

A' = [J Rbi{pdpi). 

pdpi£S 

Agent’s behavior should reflect agent’s desire to achieve its goal, see [2]. Since 
agent’s behavior depends directly on the primitive decision problems, it is clear 
that all agent’s knowledge and reasoning resources should be used to determine 
the pdpi- 

3.4 Knowledge and Belief 

It is supposed that agent’s perception function, agent’s desire, and rational be- 
havior can not be changed over time. However, agent’s knowledge and belief is 
a subject of change. 

At any moment of time t, agent i has knowledge about what T-runs are 
possible. Let the set of possible, according to agent i, T-runs be denoted by 
5R*. Agent may consider some T-runs as more or less probable, so that we must 
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introduce the notion of agent belief at time t, denoted by Belj. It is a probability 
distribution on 3?*. 

Let Z\3?- denote the set of all probability distributions defined on 3?*. 

Let (3?*,i?el*) constitute agent I’s ground knowledge at time t. 

It should be clear that each (3?-,Be?-) determines unique 

pdpi = {Ai, {pai)a ^^Ai) in the following way: 

Let Z{ai,x) = {r S 3?* : r{i,t) = ai Sz Ui{Ji{r)) = x}, then 

Mai (a:) = 

r£Z{ai,x) 

for the definition of see Section 2, and for Ji(r), see Section 3.1. So that 

we will somewhat abuse the notations writing Rbi{^\,Belf) instead of Rbi{pdpi). 
Let 

charj = (3?*, Belj; Jp, Ui, a^, Rbi) 

denote a possible characteristics of agent i at time t. In fact, it consists of agent 
ground knowledge, perception, desire, and rational behavior. Let CHAR\ denote 
the set of all such possible characteristics. 

Now we are going to define a representation of mutual knowledge, i.e. knowl- 
edge about other agents and their knowledge. Let for any sequence i,ji, ... ,jk 
(of elements from the set N), 

,jk ^ subset of CHAR*^ 

The meaning of the introduced notation is the following: 

— at time t agent i knows that agent j\ knows that ... that agent jk’s charac- 
teristics belongs to the set K* . 

Let us see that the following sequence 

represents a tree, that is, K* is the root of the tree and it is a characteristics of 
agent i, (Kn) is the collection of nodes at level 1, ji,j 2 &N is the 

collection of nodes at level 2, and so on. Hence, the tree is a representation of 
mutual knowledge of agent i. Of course we should put some restrictions on the 
sets K- j, like that agent i can not know more about agent j’s knowledge than 
agent j itself, and so on. 

Let us note that this knowledge representation may be constructed in the 
way that is consistent with the standard notion of knowledge, see for example 
Halpern et al. [6]. 

The notion of mutual knowledge is weaker than the notion of common knowl- 
edge (for details see [6]), however it is enough for our purpose, because we will 
consider the trees with finite branches. 
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Fig. 1 



In the figure we put for simplicity that K* = {char*} and = {char}^}, 
and K*^-/ = {char*, }. The rest components of the mutual knowledge are empty 
sets and denote that agent i has no knowledge about the agent j'{, and no knowl- 
edge about what agents ji,fi know about other agents. Similar representation 
of mutual knowledge is applied in Recursive Modeling Method, see [7]. 

There is also another representation of mutual knowledge that is much more 
simple to grasp, however is hard to use in applications. It may be called generic 
representation, and is constructed in the following way. Let /Cj denote the type 
of agent i’s knowledge, that will be defined below. Canonical form of an object 
of type ICi is 

{chari\Qij,j e N) 

where N is the set of all agents and Qij is subset (may be empty) of objects of 
type K-j. 

Let us note that this construction is recursive and for practical reasons should 
not be nested ad infinitum. 



3.5 Reasoning Process 

Agent’s reasoning should focus on reducing as much as possible the set of runs 
m* and determining belief Bel*. These two constitute agent ground knowledge. A 
schema of such reasoning process is presented below as Fig. 2. Transformations 
are shown there as arrows. 

Prom perception to IR*. This transformation is natural. Agent i perceiving 
q*, knows that the true global state belongs to the set J~^{q*). Hence the trans- 
formation consists in removing from the set R\ those runs that determine the 
global states at time t not consistent with the local state q*, i.e. such runs r for 
which Ji{r{t)) yf q*, for the definition of r{t) see Section 2. 

Prom perception to mutnal knowledge. Agent i, knowing perception func- 
tion (mechanism), of other agent j, can deduce roughly what agent j does per- 
ceive. For details see the next transformation. It is also the case of famous three 
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wise men puzzle, see [8,9]. If agent perceives at time t what action was taken 
by agent j at time t — 1, then, knowing agent’s j characteristics, agent i may 
deduce what should be agent j’s ground knowledge at time t — 1 for agent j to 
take the action which the agent j has already taken. 

Prom characteristics to revised characteristics. Agent, taking action a*, 
makes in this way some T-runs to be impossible. So that the agent must re- 
move these impossible (inconsistent) runs from the set 5ft*. That is, the run r is 
consistent with action a* if r{i,t) = a\, (for the definition of see Section 




Fig. 2. Dynamic structure of knowledge and transformations: time from t to t + 1. 



Doted vectors denote the transformations that are not still constructed; they 
concern mainly the revision of belief Belj. 

Prom Mutual Knowledge to This transformation deserves more atten- 
tion. First let us consider so called one-shot case, where T = 1, i.e. the agents 
take action only once. Later on we will show how the dynamic case can be 
transformed into the one-shot case. 

Let us note that for T = 1: 3? = 17 x A. So that T-runs are of the following 
form (w, a). 
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Let us consider agent j’s point of view. Since is the inital global state of 
the system, according to its perception Jj, agent j knows that the true global 
state belongs to the set Jj(w°). Hence, agent j reduces 3? to the set 

?ftj = {(w,a) : = Jj(w°)&a G A} 

of the runs that are consistent with its perception. 

Since agent j’s belief is a subject of change during its reasoning process, 
initially agent j considers all beliefs from the set Hence, agent j, according 
to its behavior Rbj, regards as optimal actions from the set 

BeU£Am 

3 

Now let us consider agent i’s point of view. Suppose that agent i knows the agent 
j’s characteristics, however without Belj, what seems to be reasonable since the 
belief is a subject of change. So that agent i’s mutual knowledge is 

Kl = ml*;J,;u„a„Rb,)} 

where the star * denotes that Bel'j is unknown. 

According to its perception, agent i knows that possible runs belong to the 
set 

= {(w,a) : Ji{uj) = & a G A} 

Since agent i knows agent j perception mechanism Jj, it knows only that 

is a subset of the set U {{oj’.a): = 

Let the set at the right side of the inclusion be denoted by 3?°^ ; the meaning is 
that agent i knows that agent j knows that the true state of the world belongs 
to this set. This is the standard definition, for details see for example Aumann 
[3,4]. Agent i considers all runs r = (w,a) G 3?° as possible, so that if agent 
i assumes that to was the true state, then according to agent i, agent j would 
know that this state belongs to the set J~^Jj{uj). 

Agent i is able to reconstruct the reasoning of agent j, so that agent i knows 
that 

A° is a subset of the set (J Rbj(JR^j, Belj) 

BeljeAfa«. 

Let the set on the right side of the inclusion be denoted as A^j. This denotes 
that agent i knows that agent j’s optimum actions belong to A?-. 

On the basis of this reasoning agent i reduces the set of possible runs to the 
set of all {co,ai, ... ,aj, ... a„) G 3?° such that aj G A°^. 

In this way we have described transformation of knowledge into K°, i.e. 
ground knowledge of agent i. In similar way we can define the transformations 
from K^j^ j^ into and generally from j^ into j^__^. Hence, 




18 



Stanislaw Ambroszkiewicz and Jan Komar 



starting with the highest nodes of the mutual knowledge tree (see Fig 2.) we can 
reduce this agent i’s mutual knowledge to the root of the tree, i.e. to agent i’s 
ground knowledge. 

The idea how to convey the dynamic case where T > 1 is simple and uses so 
called agent normal form of extensive game introduced by Selten [12]. In order 
to make the presentation clear, let us assume that the agents perception is such 
that they know exactly the current global state of the system. 

First we split agent Fs site into the sites (s, i) where s is a situation from the 
set S of all situations, defined in Section 2. In each site (s,i) we put a copy of 
agent i denoted as agent si. New agent si has the same set of possible actions 
as the agent i, namely Ai, and is responsible to take at most one action say Osi 
from the set Ai in situation s. The perception, desire, and rational behavior of 
agent si are the same as the ones of agent i, and this fact is common knowledge 
between all the agents si, for fixed i and all s G S. 

This leads to the case where, at each agent site (s, i), action is taken at most 
once, i.e. when situation s takes place. Of course, some situations never occur. 

Let us suppose that each agent si takes action Usi € Ai. Then this determines 
some T-run (say r) of the system. This run, in turn, determines the sequence of 
global states of the system, and finally it gives the common utility Ui{Ji{r)) for 
each agent si for fixed i and all s G S. 

In this way the dynamic case may be transformed into one-shot case. 



3.6 Intentions 

Let us note that the transformation into agent normal form can be applied 
in any situation at any time of the dynamic system. So that any agent i can 
compute its own final ground knowledge at time t. 

Once the final ground knowledge of agent i is computed, let it be (3?(, Bel*), 
agent i’s final intention, concerning its decision of taking action at time t, is 
given by the set Rbi(fk\, Belf), meaning that agent i regards any action from 
this set as an optimum one. 



4 Explanation of the Paradox 

The transformation of a dynamic system into a game in normal form presented 
above allows to overcome the paradox concerning mutual knowledge and back- 
ward induction. 

Coming back to the example, see Fig. 1, let us see that any agent performs 
its reasoning before the play starts, so that the agent can not consider itself nor 
other agents in some situations in a possible future. 

After the transformation, there is no temporal, causal relations between 
nodes: 1.1, 2.1, and 1.2. So that we have three agents: agent 1.1, agent 2.1, 
and agent 1.2. Agents 1.1, and agent 1.2 share the same outcome, and the same 
utility. The agents exist at the same time in the same world, so that they can 
reason consistently about knowledge and rationality of the other agents. So that 
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the backward induction (now rather iterated elimination of dominated actions) 
may be performed now equivalently on the game in normal form, where there are 
no reasons for a contradiction with the assumption of the common knowledge of 
agents’ rationality. 

5 Conclusion 

In the reasoning process presented above, the transformations, that concern the 
revision of belief Bel^, are missed. Also the communication, coordination between 
agents is not included there. So that the agent’s intentions are individual and 
concern only individual actions of the agent. Hence, it is still a lot to be done in 
the modeling BDI-agents in the game-theoretic framework. 
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Abstract. Typically some of an agent’s beliefs are more reliable than 
others. Consequently we give a hierarchical definition of belief, according 
to which an agent’s beliefs form a coherent hierarchy and new beliefs are 
defined with reference to it. We then show how preferential entailment 
can be used to formalize the persistence and revision of belief hierarchies, 
and discuss the the relationship between our theory and the ACM theory 
of belief revision. 



1 Introduction 

Consider the following episode: 

On January 14, 1997, Zhisheng was travelling by train from Rome to 
Siena in order to participate in a workshop on agent modelling. He had to 
change trains at Chiusi, so on arrival at the station he hurried to discover 
the platform number of the next train departing for Siena. According to 
the published timetable the next train would depart from platform one 
at 19:34, so he believed that this would be the case. Consequently he was 
very surprised when the electronic departures board in the station hall 
showed that the next train for Siena would depart from platform two. 
He considered that the information on the board was more reliable than 
that on the timetable, as it was more recent and more easily updated. 
So he dropped the belief that the train would depart from platform one 
in favour of the belief that it would depart from platform two. In order 
to be sure, he asked the man at the information desk and was assured 
that the next train for Siena would indeed depart from platform two. 
Zhisheng considered this to be the most reliable information so far. So 
he continued to believe that the train would depart from platform two 
despite the fact that at about 19:15 a train labelled “Chiusi - Siena” 
arrived at platform one. By 19:28 there was still no sign of a train on 
platform two, so he started to have doubts. Fortunately there was a 
signalman on platform three, so Zhisheng hurried over and asked him. 
The signalman told him that the next train for Siena was the one now 
on platform one. Zhisheng considered that the signalman was in a better 
position to know than the man at the information desk. So he revised his 
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beliefs again and hurriedly boarded the train on platform one. At 19:34 

the train pulled out and, happily, it arrived at Siena in due course. 

In this paper we aim to model reasoning of this kind. In order to do so we 
introduce the notion of a belief hierarchy. At any point in time an agent has a 
set of beliefs, a belief set, and considers some of these beliefs to be more reliable 
than, or preferable to, others. For example, Zhisheng considered the platform 
number given on the departures board to be more reliable than the one given in 
the published timetable. The agent’s preferences define a preference ordering on 
the agent’s belief set. Typically the preference ordering is partial. For example, 
Zhisheng believed that the timetable showed that the next train for Siena would 
depart from platform one, and he believed that the departures board showed 
that the next train for Siena would depart from platform two. Since both beliefs 
were based on his own observations, he considered them to be equally reliable; 
that is, he regarded them indifferently. At any point in time the agent’s beliefs 
and preferences among them form the agent’s belief hierarchy at that point in 
time. 

Typically the agent’s belief hierarchy is dynamic, as time progresses the 
agent’s beliefs and the preferences among them change. For example, Zhisheng 
initially believed that the next train for Siena would depart from platform one, 
however, after looking at the departures board, he believed instead that the 
train would depart from platform two. However, the belief hierarchies of ratio- 
nal agents tend to exhibit a certain stability. For example, Zhisheng did not 
reconsider his beliefs about what he had observed. The agent’s beliefs and the 
preferences among them thus persist by default. Indeed, the belief hierarchies of 
rational agents tend to be upwardly stable; that is, the higher the belief in the 
hierarchy, the more it tends to remain in and maintain its relative position in it. 
For example, Zhisheng’s beliefs about what he had observed were more stable 
than his beliefs about which platform the next train for Siena would depart from. 
This reflects the principle that rational agents should keep higher-level beliefs in 
preference to lower- level beliefs whenever possible. The beliefs in the hierarchy 
of a rational agent should also be coherent; that is, they should, in some sense, 
be jointly consistent. Roughly, an agent’s belief hierarchy is coherent if every 
belief in the hierarchy is consistent with every belief which is at least as reliable 
as it; a precise definition is given in the sequel. If a rational agent realises that its 
beliefs are incoherent, the agent should revise them in order to restore coherence. 
In doing so the agent should retain more preferred beliefs in favour of less pre- 
ferred ones wherever coherence permits. Moreover, the agent should only make 
those changes which are necessary in order to restore coherence. For example, 
Zhisheng’s belief that the departures board was correct was inconsistent with 
his belief that the published timetable was correct, so he restored consistency 
by dropping the latter, less preferred, belief. 

Belief hierarchies can perhaps be seen as providing a formalization of Quine’s 
“Web of Belief’ metaphor [11,12,13], especially as explicated by Dummett [5]. 
There are also interesting similarities and differences between our theory and 
the theory of belief revision developed by Alchourron, Gardenfors and Makinson 




22 



John Bell and Zhisheng Huang 



[6,7], the “AGM theory”, and a comparison is given in the sequel. Our theory is 
intended as part of a larger theory of practical reasoning and rationality [2]; in 
particular, it has been used in the development of a common sense theory of the 
adoption of perception-based beliefs [4] . 

Our theory is expressed in the language CA [1] which has been extended 
to include the preference operator of ALX [8,9]. In the following section we 
discuss the representation of time ad preferences. In Section 3 we give the formal 
definition of beliefs and belief hierarchies, and study their static properties. In 
the final section we show how preferential entailment can be used to formalize 
the rational revision of belief hierarchies, show how the opening example can 
be formalized, and discuss the relationship between our theory and the AGM 
theory. 

2 Time, Preference, and Indifference 

CA is a many-sorted, modal temporal language. The atomic sentences of CA all 
have a temporal index. For example, the sentence OnTable{B){3) states that 
block B is on the table at time point 3. Thus time is taken to be composed of 
points and, for simplicity, we will assume that it is discrete and linear.^ 

The models of C A are fairly complex possible- worlds structures. Each model 
comes equipped with an interpretation function V which assigns an n-ary relation 
to each n-ary relation symbol at each time point at each possible world. Thus, 
for model M, world w in M and variable assignment 

M, ]= r(ni, . ..Un){t) iff (ui, . . . ,n„) G V(r,t, w) 

A sentence of the form Pref{a,(j),'tp){t) states that agent a prefers (j) to ip 
at time t. The semantics of the preference operator begin with von Wright’s 
conjunction expansion principle [16]. According to this principle, to say that 
you prefer an apple to an orange is to say that you prefer situations in which 
you have an apple and no orange to those in which you have an orange and 
no apple. In possible-worlds terms this principle might be stated as follows: 
agent a prefers (p to ip if a prefers (p A -I'i/;- worlds to ■0 A ->0- worlds. However, 
this semantics is too simple, as it leads to paradoxes involving conjunction and 
disjunction. If (p is preferred to ip then 0Vx is preferred to ip, and (p is preferred 
to Ip A X- For example, if a prefers coffee to tea, then a prefers coffee or poison 
to tea, and a prefers coffee to tea and a million dollars. Glearly we need to 
capture the ceteris paribus nature of preferences: we should compare (p A -'ip- 
worlds and Ip A ->0-worlds which otherwise differ as little as possible from the 
actual world. In order to do so we introduce the selection function from the 
Stalnaker-Lewis analysis of conditionals [10,15]. Thus the function cw is of type 
W X V{W) V{W), and, intuitively, cw{w, |0]^) is the set of closest worlds 

^ The extension to intervals is straightforward; see e.g. [3]. 

^ For the sake of simplicity of presentation we will let the distinction between terms 
and their denotations in M given g take care of itself. 
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to w in which (j) is tme.^ Formally, cw is required to satisfy the conditions 
imposed by Lewis in [10]. The agent’s preferences over time are represented 
by the function y: A x T ^ V{V{W) x V{W)), which assigns a comparison 
relation over sets of worlds to each agent at each time point. Intuitively, for 
sets of worlds X and Y, X Y(a,t) Y means that agent a prefers the worlds 
in X to the worlds in Y at time t. Preferences are required to be irreflexive 
and transitive, and should satisfy left and right disjunction. Accordingly, let 
^ A(a,t,w) Y abbreviate cw{w,X n Y) >-(a,t) cw{w,Y n X). Then each 
is required satisfy the following properties: 

(irp) X X. 

(trp) If X A(a,t,w) Y and Y □(a.t,™) ^ then X A(a,t,w) Z. 

i^ovV) If X Z and Y Z then X U Y Z, 

{oTT^ If X i .y;) Y and X Z then X Y U Z. 

The truth condition for preferences is then as follows: 

M,w ,5 h Pref{a,(t),'ip){t) iff [flf □(a.t,™) Wf • 

Given these semantics, we have the following axioms: 

{IRP) -^Pref{a,(!),(j)){f) 

(TRP) Pref {a,(j),tp){t) A Pref{a,if,x){t) Pref{a,4>,x){t) 

(ORL) Pref{a, x){t) A Pref{a, -tp, x){t) Pref{a, x){t) 

{ORR) Pref{a, ip){t) A Pref{a, x)(t) Pref{a, (p,ipy x)(t) 

(CEP) Pref{a,(p,f){t) ^ Pref{a,{(l) A^f),{^(l) Af))(t) 

(IRP) and (TRP) state the irreflexivity and transitivity of preferences respec- 
tively, while (ORL) and (ORR) respectively state left and right disjunction of 
preferences.^ Finally, (CEP) states the conjunction expansion principle. The 
following are theorems: 

(A5) Pref(4>,i))(t) ^ ^Pref(i),4>)(t) 

(CP) Pref(a, ip)(t) Pref(a, ^ip, ^(j))(t) 

Thus preferences are asymmetric (AS”) and contraposable (CP). Note that 
Pref(a,4>,'if)(t) implies neither Pref(a,4>\J x^4’){t) nor Pref(a,4>,ip A x)(t), so 
the paradoxes of conjunction and disjunction of preferences are avoided. 

We also require indifference and weak preference operators. Informally, Ind(a, 
(p,'tjj)(t) states that agent a is indifferent between f and ip at time t, while 
Prefind (a, <p, ip)(t) states that a weakly prefers (p to tp at time t] that is, either a 
strongly prefers (/) to i/' at or a is indifferent between (p and ip at t. In order to 
do so, we require a stronger notion of (strong) preference. Each □(a,t,iu) should 
now also be almost connected: 

® As usual, IdtlPf denotes the set of worlds in M in which d> is satisfied by q; i.e., 

= {w€W:M,w,g(=f}- 

^ The disjunctive properties of preferences were suggested by Pierre- Yves Schobbens. 
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(acp) If X Y then for any Z € V{W) either X Z or 

Y H^{a,t,w) Y. 

Then the indifference relation, can be defined as follows: 

-Y ‘^(a,t) Y iff X Y and Y Yi. 

We thus have the following additional axioms for preference and indifference: 

{ACP) Pref{a, f, if){t) A ^Pref{a, x)(t) Pref{a, x, 

(IND) Ind{a,(j),tp){t) ^ ^Pref {a,(f>,ip){t) A ^Pref{a,tp,(j)){t) 

(TRI) Ind{a, (p, ip)\t) A Ind{a, f), x)(f) India, f, x)it) 

(ACP) states that preferences are almost connected and (TRI) states that in- 
difference is transitive. Obviously it follows from (IND) that indifference is also 
reflexive (REI), and symmetric (SYI): 

(REI) India, 4>)it) 

iSYI) In(iia,4>,'il))it) India, ip, 4>) it) 

Finally, the weak preference operator is introduced by definition: 
iWP) Prefindia, (p, ip)it) ^ Prefia, p, V')(i) V India, p, p)it) 

Proposition 1. Properties of (strong) preference, weak preference and indiffer- 
ence. 

1. Consistency of preference and indifference: 

Prefia,p,p)it) Mndia,p,x)it) Prefia, x,P)it) 
Prefia,p,p)it) Alndia,p,x)it) ^ Pref ia, p,x)it) 

2. Weak preference is reflexive, transitive, and comparable: 

Prefindia, p, p)it) 

Prefindia, p,p) it) A Prefindia, p,x)(t) Prefindia, p,x) it) 
Prefindia, p, p)it) V Prefindia, p, p)(t) 

3. Consistency of indifference and weak preference: 

India, p,p)(t) ^ Prefindia, p, p)(t) A Prefindia, p,p)(t) 

4- Consistency of (strong) preference and weak preference: 

Pref ia,p,p)(t) ^ ^Prefindia, p,p)(t) 

5. Exactly one of the following holds: 



Prefia, p, p) it), India, p, p) (t) , Pref ia,p,p) (t) 
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Proof. (1) For the first part, suppose that Pref{a,(j),tp){t) and Ind{a,(j),x){t) 
but that ^Pre/(a, X, If Pref{a,'ip,x){t) then, by transitivity of preference, 
we have Pref{a,4>,x){t), contradicting the supposition that Ind{a, (j>, x){t). So 
it must be the case that -^Pref{a,if,x){t). Hence, by definition, Ind{a,x,ip){t)- 
But then, as indifference is transitive, we have Ind{a, (j),'tp)(t), contradicting the 
supposition that Pref{a,(j),f)){f). So it must be the case that Pref {a,Xi'4’){t)- 

For the second part, suppose that Pref{a,(p,if){t) and Ind{a,if,x){t) but 
that ^Pref {a, 4>, x)(t) . If Pref{a,x,<f)(t) then, by transitivity of preference, 
Pref{a, x, contradicting the supposition that Ind{a, ip, x)(t). So it must be 

the case that ^Pref{a, x, Hence, by definition, Ind{a, <p, x)(^)- But then, as 
indifference is transitive, we have Ind{a,<p,'ip)(t), contradicting the supposition 
that Pref{a,(p,ip){t). So it must be the case that Pref{a,(p,x){t). 

(2) Reflexivity. Since Pref is irreflexive, we have ~^Pref{a, (p, By the def- 
inition of indifference, this means that Ind{a, (p, (p){t). Thus Preflnd{a, (p, (p){t) . 

Transitivity. Suppose that Prefind {a, <p, ip) (t) A Prefind {a, ip, x)(i)> then there 
are four cases to consider. 

Case I. Pref {a, (p. Ip) (t) A Pref{a,ip,x){t). Since preference is transitive, we 
have Pref{a,(p,x){t). So, by definition, Preflnd{a, (p, x){t). 

Case 2. Pref {a, (p, ip) (t) A Ind{a,ip,x){t)- By part (I), Pref{a,(p,x){t) holds. 
So, by definition, Preflnd{a, (p, x)(t). 

Case 3. Ind{a,(p,ip){f) A Pref{a,ip,x){t). Similarly, by part (1), we have 
Preflnd{a,(p,x){t). 

Case 4. Ind{a, <p, ip){t) Alnd{a, ip, x){t)- By the transitivity of indifference we 
have Ind{a, (p, x){t), so, by definition, Preflnd{a, (p, x){t)- 

Comparability. Suppose that ^Preflnd{a,(p,ip){t). Then, by definition, 
~^Pref{a, (p, ip)(t) and ^Ind{a, (p, ip). So it follows from the definition of indiffer- 
ence that Pref {a, Ip, (p) ft). So it follows from the definition of weak preference 
that Prefind {a,ip,(p) ft) . 

For (3), suppose that Ind{a,(p,ip){t). By the definition of weak preference 
we have Preflnd{a, <p,ip)ft) . And, by the symmetry of indifference and the defi- 
nition of weak preference, we have Preflnd{a,ip , (p)ff) . Conversely, suppose that 
Preflnd{a,(p,ip)ft) A Pref India, ip, (p) ft). If ^Ind{a, (p,ip)ft) holds, then by the 
symmetry of indifference, we also have ^Indfa,ip , <p)ff) . Furthermore, from the 
definition of weak preference, we have Pref {a, (p, ip) ft) A Pref (a, ip, (p) ft). So, by 
the transitivity of (strong) preference, we have Pref (a, <p, 4>)ft). But this contra- 
dicts the irreflexivity of preference. Thus, we conclude that India, (p, ip) ft). 

For (4), suppose that Pref ia,<p,ip)ft). If Preflndia,ip,(p)if), it follows by 
definition that either Prefia,ip,(p)ft) or India,ip,(p)if). But, the former con- 
tradicts the asymmetry of preference, and the latter contradicts the irreflex- 
ivity of preference by part (1). Conversely, suppose that ^ Prefind ia, ip, (p) ft). 
Then, by definition of weak preference, ^Prefia,ip,(p)ft) and ^ India, ip, (p) ft). 
As ^India, ip, (p)it), it follows that either Prefia, ip, (p)it) or Prefia, <p, ip)it). The 
former contradicts ^Prefia, ip, (p)ft). So we conclude the latter. 

(5) is straightforward from (4). □ 




26 



John Bell and Zhisheng Huang 



3 Belief Hierarchies 

We now proceed to the definition of beliefs and belief hierarchies, beginning with 
candidate beliefs. Intuitively a sentence 4> is a, candidate belief of agent a at time 
t, written CBel{a, if a has reason to believe that <j) is true at t. The formal 

semantics for the new operator are, for simplicity, the standard possible-worlds 
semantics, but indexed by agent and time point. Thus, for each agent a, time 
point t and world w, 'R.(Bei,a,t,w) is a binary accessibility relation on worlds which 
represents a’s candidate beliefs in w at t. As usual, Tl(Bei,a,t,w) is required to be 
transitive and Euclidean, corresponding to positive and negative introspection. 
However 'R.(Bei,a,t,w) is not required to be serial, so a’s candidate beliefs at t need 
not be jointly consistent. The truth condition for the candidate belief operator 
is thus as follows: 

M,w,g\= CBel{a,4>){t) iff M,w',g \= (j) for all {w,w') G TZ(^Bei,a,t,w)- 

We will use the preference and indifference operators to represent the com- 
parative importance of the agent’s candidate beliefs and, in due course of the 
agent’s beliefs. Thus Pref{a,CBel{a,(j)){t),CBel{a,if){t)){t) states that, at t, a 
considers candidate belief (j) to be more reliable than candidate belief tp. In order 
to abbreviate complex sentences such as this we will adopt the convention that 
a missing agent term is the same as the closest agent term to its left and that a 
missing temporal term is the same as the closest temporal term to its right; thus 
the last sentence is abbreviated to Pref{a,CBel{(j)),CBel{tp)){t). Preferences 
between (candidate) beliefs are required to satisfy the following conditions: 

(RPCB) Pref{a,CBel{4>),CBel{tp)){t) CBel{a, (p)(t) A CBel{a,tp)(t) 
(RPB) Pref{a, Bel{(j)), Bel{fj))(t) Bel{a, (p)lt) A Bel {a, ip) {t) 

(RPCB) is a realism condition on preferences between candidate beliefs. To say 
that at t, a prefers candidate belief (p to candidate belief ip should imply that <p 
and Ip are candidate beliefs for a at t. Similarly (RPB) is a realism condition on 
preferences between beliefs. 

By introducing preferences on an agent’s candidate beliefs at time t we obtain 
the agent’s candidate belief hierarchy at t, and this will be used to define the 
agent’s belief hierarchy at t. As our ultimate concern is with finite, resource- 
bounded, agents we will assume that at any time point the agent has a finite 
number of logically distinct candidate beliefs. 

The agent’s belief hierarchy at t should be a subhierarchy of the agent’s 
candidate belief hierarchy at t. In order to ensure that this is the case, we require 
the additional conditions: 

(PBCB) Pref{a,Bel{(p),Bel{ip))(t) Pref{a,CBel{(p),CBel(ip))(t) 

(PCBB) Pref {a, CBel{(p), CBel{ip)){t) A Bel{a, (p){t) A Bel{a, ip){t) 

Pref \a, Bel{(p), Bel{ip)){t) 

(PBCB) and (PCBB) together ensure the agent’s preferences on candidate 
beliefs are consistent with its preferences on beliefs. The last three conditions 
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are, of course, equivalent to the following one: 

Pref{a,Bel{(l)),Bel{ip))(t) ^ 

Pref{a, CBel{(f>), CBel{tp))(t) A Bel{a, A Bel{a, 'ip)(t) 

The axioms for the irreflexivity and transitivity of preferences, (IR) and 
(TR), ensure that the preference orderings on beliefs and candidate beliefs are 
strict partial orderings. The corresponding weak preference orderings on (can- 
didate) beliefs are, of course, pre-orderings. Finally, preference between a belief 
and a candidate belief can be defined as follows: 

Pref{a,Bel{(j)),CBel{'tjj)){t) ^ Pref {a^C Bel{(j)),C Bel{ip)){t)/\ 

Bel{a, 

We are now in a position to give the formal definition of coherence and thus 
of beliefs. 

Definition 2. A candidate belief is P-coherent if the agent believes that it is 
jointly consistent with every belief that the agent prefers to itf’ 

PCoherent{a,4>){f) ^ 

~^CBel{a, (j) A AIM : Pref{a, Bel{if), C'Se/((/)))(t)} ^ ±){t)). 



Definition 3. A candidate belief is Pl-coherent if it is P-coherent, and it coheres 

with all peer candidate beliefs which are P-coherent: 

PICoherent{a,<j>){t) ^ 

PCoherent{a, (j>){t)A 

PCoherent{a, <j) A A{['0] • Ind{a, CBel{4>), CBel{'ip)) A PCoherent{tp)}){t) . 

Definition 4. A belief is a Pl-coherent candidate belief: 

Bel{a, 4>){f) ^ CBel{a, 4>){t) A PICoherent{a, 

Proposition 5. Static properties of candidate beliefs and beliefs. 

1. Any maximal candidate belief is a belief: 

CBel{a, 4>)(t) A A 4>{PrefInd{a, CBelftp), C Bel{<j))){t)) Bel{a, 4>)(t). 

2. All beliefs are candidate beliefs: 

Bel{a,(j)){f) CBel{a,4>){t). 

® Recall that we are assuming that at any time point an agent has a finite number 
of logically distinct candidate beliefs. In this and the following definition [if] is the 
representative member of the class of all formulas which are logically equivalent to 
Ip. As usual, for finite formula set S, /\S is the conjunction of the formulas in S and 
A0^T. 
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3. Beliefs are consistent. 

Bel{a, (f>){t) -^Bel{a,-'(f>){t). 

4- Beliefs are decomposable under conjunction. 

Bel{a, (j) A if){f) — > Bel{a, 4>){t) A Bel{a, if){t). 

5. Beliefs are closed under conjunction. 

Bel{a, 4>){t) A Bel{a, 'ip){t) Bel{a, (j) A 'if>){t). 

6. Beliefs are closed under implication. 

Bel{a, 4>)(t) A Bella, (j i’){t) Bel{a, tp){t) 

1. Consistency principle for peer beliefs: 

PrefInd{a,CBel{4>),CBel{tp)){t) f\ I Coherent {a, <j) /\ip){t) 

^(Beimt) h Bellxm) 

8. Maximality principle for peer beliefs: 

Ind{a,CB{(f>),CB{if)){t) A PCoherent{a,(j)){t) A PCoherent{a,ip){t) 

Bel{a, (j) V 'Ip) ft). 

Proof. For (1), if ^ is a candidate belief, for an agent a at time t,® and there is 
no more reliable candidate belief than (p, then <p is a, maximal CBel. As is a 
maximal CBel, it is coherent, and hence it is also a Belief. 

(2) and (3) follow from the definition of beliefs. 

For (4), suppose that (pAip is a belief for a at t. If ~^Bel(a, (p){t) holds, then by 
the definition of belief, either ^P Coherent [a, (p){f) holds, or PCoherent{a, (p){t) 
A3x(ICBel{a, (p, x)(t) A PCoherent{a, x){t) h ^PCoherent{a, p A x)(t) holds. ^ 
The former contradicts Bel{a,pA ip){t). While from the latter it follows, 
by PCoherent(a, x)(t) and Bel{a,p A ip){t), that PCoherent{a,x A p A p){f). 
We thus have PCoherent{a,x A p){t), contradicting ~^PCoherent{a, p A x)(f)- 
Thus, we conclude that Bel{a,p){t) holds. The proof for Bel{a,p){t) is similar. 

For (5), suppose that Bel{a,p){t) A Bel{a,p){t) holds. We know that either 
Pref{a,CBel{p),CBel{p)){f) or Pref{a,CBel{p),CBel{p))(t) or Ind{a,CBel 
IP), CBel IP)) ft) holds. Suppose that Pref{a, CBel{p),CBelfp))ft) holds. Then, 
from Bel{a, p){t), we know that PCoherent{a, pAp)ft) holds. If ^Bel{a, pAp){t) 
holds, then this means that there exists a x such that ICBel{a,p A p,x){t) h 
PCoherent{a, x){t) A^P Coherent [a, pApAx){t) holds. However, from PCoher 
ent{a,x)ft) and Pref{a,CBel{p),CBelfp))ft) and Pref {a, CBel fp), CBel fx)), 

® In the sequel, we will often omit the agent name a and the time point t in proofs 
when it does not cause any ambiguity. 

^ Where ICBel{a,p,x){t) denotes that x is ^ conjunction of candidate beliefs 
which are peers of p. Thus lnd{a,CBel{p),CBel{p))ft) ICBel{a,p,p)ft), and 
India, CBel(P), CBel{pi)){t) A ICBel{a, p, p2)it) -> ICBelia, p, pi A p2){t). 
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we have PCoherent{a,4> Ax){t), contradicting ^PCoherent{a,4> A^ Ax)(t). 
The proof for the case where Pref{a,CBel{ilj),CBel{(f>)){t) holds is similar. 

For the case where Ind{a, CBel{(j>), CBel{'tp)){t) holds we know by the definition 
of beliefs that PCoherent{a, (j)Atp){t) and there exists no other peer y such that 
~^P Coherent {a, (p A tp A x){t)- Therefore, we conclude that Bel{a, (p A tp){t). (6) 
follows from (4) and (5). (7) is straightforward from the definition of belief and 
the consistency of belief hierarchies. 

For (8), suppose that Preflnd{a, CBel{(p), C Bel{'ip)){t)APCoherent{a, (p){t)A 
P Coherent {a, 'tp){t). If ~^Bel{a,(p V tp){t) holds, then by the definition of be- 
lief, we have either ^PCoherent{a,(p V ii){t) or there exists a x such that 
ICBel{a, X, (p\/ip){t)APCoherent{a, x){t)A^P Coherent {a, x^{4>^ ■ In the 

former case it follows that either ^PCoherent{a,<p){t) or ^P Coherent {a, tp){t), 
giving a contradiction in each case. While from the latter it follows that y is 
inconsistent with (pW ip, which contradicts the supposition that y is P-Coherent. 
□ 

4 Belief Revision 

Thus far our analysis has been concerned with the static properties of beliefs 
and belief hierarchies, with the properties of agents’ beliefs and belief hierarchies 
at particular points in time. In this section we consider the dynamic properties 
of beliefs and belief hierarchies; that is, how they should be revised over time. 
Clearly a rational agent should only revise its beliefs if they become incoherent. 
Moreover when revising the agent should keep higher-level beliefs in preference 
to lower-level beliefs wherever coherence permits, and should only make those 
changes which are necessary in order to restore coherence. 

In order to represent the persistence of beliefs and preferences, we use the 
affected operator, Aff, of CA. This modal operator is analogous to the Ab pred- 
icate of the Situation Calculus. Let ^ be a meta- variable which ranges over the 
non-temporal component of atomic modal formulas.® Then a formula ^(t) is 
affected at t if its truth value at t differs from its truth value at t -I- 1: 

M,w,g\= Ajf{^){t) iffM,w,g ^ ^ ^{t + !))• 

We thus have the following persistence rule: 

<P{t) A^Aff{<P){t) ^<P{t+l). 

Intuitively we are interested in models in which this schema is used from 
left-to-right only in order to reason “forwards in time” from instances of its 
antecedent to instances of its consequent. Typically also we want to be able 
to infer the second conjunct of each instance nonmonotonically whenever it is 
consistent to do so. For example, if we have Bel{a, <p){t) then we want to be able 

® Atomic modal formulas are formulas of the form op{a,(p\, . . . ,(p„){t), where n > 1 
and op is a modal operator other than Aff. 
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to use the rule to infer Bel{a, (j)){t+l) if Aff{Bel{a, (j))){t) cannot be inferred. In 
order to enforce this interpretation, we define a prioritized form of preferential 
entailment [14]. 

Definition 6. Let Ai, . . . , A„ be a partition of the atomic modal sentences of n 
different types according to their type.^ For each Ai, model M and time point t, 
let MAi/t = {ai{t') € Ai \ t' < t,M \= ai{t')}. Then a model M is chronolog- 
ically less defined than a model M' on the basis of the priorities (^i, . . . , An) , 
written M ^(Ax,...,a„) iff M and M' differ at most on the interpretation of 
Ai, . . . , An and there is a time point t such that: 

— for some i such that 1 < z < n,MAi/t C M'j^Jt, and 

— for all j such that 1 < j < i, MA^/t C M'^^/t. 



Definition 7. A model M is an {A\, An) -preferred model of a sentence <j) 
if M \= (j) and there is no model M' such that M' |= (f> and M' AI . 

Similarly, M is an (^i, . . . , An) -preferred model of a set of sentences 0 if M \= 
0 and there is no model M' such that M' |= 0 and M' ^(Ai,...,a„) M . 



Definition 8. A set of sentences 0 preferentially entails a sentence (j) given 
the priorities {A\, . . . , An) (written 0 |^(Ai,...,a„) 4>) */> foT any {A\, . . . , An)- 
preferred model M of 0, M \= (f. 

In the sequel we will say that a set of sentences 6 > is a belief theory if it 
contains the axioms of our theory of belief. We are therefore interested in the 
{CBel, Pref, ^j(f )-preferred models models of belief theories. In models of belief 
theories candidate beliefs, preferences and affected atoms should be minimized 
chronologically while, at any time point, candidate beliefs should be minimized 
before preferences, and preferences should be minimized before affected atoms. 
In the sequel we will abbreviate 0 \^{CBei,Pref,Aff) to 6 * 

As a result of the definitions we have: 

Proposition 9. Dynamic properties of beliefs and belief hierarchies. 

1. Beliefs persist by default. 

2. Preferences on beliefs persist by default. 

3. Belief hierarchies persist by default. 

4-. Belief hierarchies are upwardly stable. 

Proof. For (1), let 0 be a belief theory such that 0 Bel{a,(j>){f) and 0 

-^Aff{Bel{a, (j>)){t). Then it follows from the persistence rule that 0 (a Bel{a, (jf) 
{t -\- 1). The proof for (2) is similar. Part (3) follows from (1) and (2). Part (4) 
follows from the maximality and default persistence of belief hierarchies. □ 

For example, Ai might be the set Bel of all belief atoms Bel{a,(j>){t), A 2 might be 
the set Pref of all preference atoms Pref ( 0 , 41 , 11 :) (t), etc. 
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By way of illustration, we show how the opening example can be formalized. 

Example 1. Let 1,2,.., denote time points, and one and two denote the two 
platforms, and let 0 be a belief theory which contains the following sentences 
representing agent a’s beliefs, preferences and candidate beliefs: 



(H) Pref{a,CBel{Timetable{one)),CBel{'ix{Timetable{x) Platform{x)))){\), 

(B) Pref(a,CBel(Board{two)),CBeUyx{Board(x) Platform{x)))){2), 

(C) Pref {a, C Belly X {Boar d{x) Platform{x)), 

C Belly x{Timetable{x) Platform{x))){2), 

{D) Pref{a,CBel{Infoman{two)),CBeliyx{Infoman{x) Platform{x)))){3), 

(E) Pref {a,C Bellyx{Infoman{x) Platform{x)), 

C Belly x{Board{x) Platform{x))){3), 

(F) Pref {a,C Bel{Train{one)),C Beliyx{Train{x) Platform{x)))){P), 

(G) Pref {a, C Belly x{Board{x) Platform{x)), 

C Beliyx{Train{x) Plat f orm{x))){P) , 

(PI) Pref {a,C Bel{Signman{one)),C Bellyx{Signman{x) Platform{x)))){5), 

{!) Pref {a, C Belly x{Signman{x) Platform(x)), 

C Beliyx{Infoman{x) Platform{x))){5), 

(J) \/%l)Pref{a,CBel{{Platform{one) V Platform{two))/\ 

yPlatform{one) A Platform{two)),CBel{a,'ip)){l). 



For natural numbers n\ and ri 2 such that 1 < rii < ri 2 < 7, we will use 
•P{[n\ . . . U 2 ]) to denote the conjunction ^(ni) A^(ni + 1) A ... A ^( 712 ). Then the 
following sentences are true in all {CBel, Pref, Alj(f)-preferred models of 0: 



(a) Pref (a, CBel{Timetable{one)),CBeliyx(Timetable{x) 

-> Platform{x)))){[l...b\), 

{b) Pref (a, C Bel{Board{two)) ,C Belly x{Board{x) Platform{x)))){[2 ... 5]), 

(c) Pref {a, C Belly x{Board{x) Platform{x)), 

C Belly x{Timetable{x) Platform{x))){[2 . . . 5]), 

(d) Pref {a, CBel{Infoman{two)), C Belly x{Inf oman{x) 

Platform{x)))){[3 . . . 5]), 

(e) Pref{a,CBeliyx{Infoman{x) Platform{x)), 

C Belly x{Board{x) Plat f orm{x))){[3 ... 5]), 

(/) Pref {a, CBel{Train{one)), C Belly x{Train{x) Platform{x)))){[4:. . . 5]), 

(g) Pref{a,CBeliyx{Board{x) Platform{x)), 

CBeliyx{Train{x) Platform{x))){[4:...5\), 

(h) Pref{a,CBel{Signman{one)),CBellyx{Signman{x) Platform{x)))){5), 
(*) Pref{a,CBellyx{Signman{x) Platform{x)), 

CBellyx{Infoman{x) Platform{x))){5), 

(j) \/'ipPref{a,CBel{{Platform{one) V Platform{two))f\ 

-^{Platform{one) A Platformftwo)), CBel{a, 'i/'))([l ... 5]). 



So in all {CBel, Pref, ^j(f )-preferred models of 0 a’s beliefs change as follows 
during the period: 
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(0) Bel{a, {Plat for m{one) V Platform{two))f\ 

—•{Plat for m{one) A Platform{two)){[l ... 5]) {j), 

{1) Bel{a,Timetable{one)){l) (a) 

(2) Bel{a,'ix{Timetable{x) Platform{x)){l) (1), (a) 

(3) Bel{a, Plat for m{one)){l) (1),(2) 

(4) -nBel{a,Platform{two)){l) (0),(3) 

{5) Bel{a, Board{two)){2) (6) 

(6) Bel{a,\/x{Board{x) Platform{x)){2) (6), (c) 

(7) -•Bel{a,'ix{Timetable{x) Plat f orm{x)){2.) (c) 

(8) Bel{a,Platform{two)){2) (5), (6)) 

(9) -nBel{a, Platform{one)){2) (0),(8) 

{10) Bel{a, Inf oman{two)){3) {d) 

(11) Bel{a,'ix{Infoman{x) Platform{x))){3) (10) 

(12) Bel{a,Platform{two){3) (10), (11) 

(13) -^Bel{a, Platfrom{one)){3) (0),(12) 

{14:) Bel {a, Train{one)) {4) (/) 

(15) -^Bel{a,Vx{Train{x) Platform{x)){4) {g) 

(16) Bel{a,Platform{two)){4) {Persistence) 

(17) -^Bel{a,Platform{one)){4) (0),(16) 

{18) Bel{a, Signman{one)){5) {h) 

(19) Bel{a,'ix{Signman{x) Platform{x)){5) {h) 

(20) -^Bel{a,'ix{Infoman{x) Platform{x)){5) {i) 

(21) Bel{a, Plat for m{one)){b) (18), (19) 

(22) -:Bel{a, Platform{two)){5) (0), (21) 



□ 

It is interesting to compare our work with the AGM theory of belief revision 
developed by Alchourron, Gardenfors and Makinson, e.g. [6,7]. In the AGM 
theory an agent’s beliefs are represented by a knowledge set; a deductively closed 
set of sentences which, at any stage, can be modified in one of three ways: 

Expansion: A proposition (j), which is consistent with a knowledge set K, is 
added to K. The result is denoted K + (j). 

Revision: A proposition (j), which may be inconsistent with a knowledge set 
K, is added to it. In order to maintain consistency some of the propositions 
which were in K may have to be removed. A revision of AT by ^ is denoted 
hy K * <f. 

Contraction: A proposition (p is removed from a knowledge set K. A contrac- 
tion of AT by ^ is denoted by K—(j>. 

Alchourron, Gardenfors and Makinson propose a number of plausible postu- 
lates which any definition of these operations should satisfy. The postulates for 
expansion are straightforward. Those for revision are as follows: 

(a) [Glosure] K * p is a, closed theory. 



Where, Cn{S) is the deductive closure of S. 
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(b) [Inclusion] K * (j) C K + (j). 

(c) [Vacuity] If ^ K, then K + <j) C K * <j). 

(d) [Success] 4> G K * 4>. 

(e) [Consistency] If ± G K * (j), then -k/) S Cn{%). 

(f) [Extensionality] If Cn{K) = Cn(K'), then K * (j) = K' * (j). 

The postulates for contraction need not concern us as the Harper identity 
shows that the contraction operation can be defined in terms of the revision 
operation: 

K-(j) ={K* ^(j>) n K. 

Our theory differs from the ACM theory in at least three important respects. 
In our theory beliefs are represented as hierarchies of propositions, rather than 
sets of sentences, and the preferences among beliefs must be considered when 
revision takes place. Moreover, revision of a hierarchy from one time point to 
the next may correspond to several ACM operations; several beliefs may have 
to be removed in order to incorporate new ones, while several others may simply 
be added or deleted. Finally, the revision of a hierarchy will always be unique; 
unlike the result of an ACM revision. 

In order to make a comparison we consider the special case in which each 
revision of a belief hierarchy corresponds to a single AGM operation. For belief 
theory O and resulting belief hierarchy at time t, we can define an agent a’s 
belief set at t as follows: 

Bel{a,t) = {^/> : 0 [w Bel{a,'tjj)(t)}. 

Given an operation on a’s belief set at t and the proposition cj), we are thus 
interested in a’s belief set at t + 1. 

An AGM-type expansion operator can be partially defined as follows: 

Bel{a, t) + (j) = {fj '■ O Bel{a, 'ip)(t)} U {f: : 0 Bel{a, 4> ^ ijj)(t + 1)} 
when & Bel{a,(j))(t + 1). 

The assumption that the expansion Bel{a,t) + ^ is the only operation which 
occurs at t is captured by the following condition: 

(Uni+) If Bel{a,t) + ^ is defined, then Bel{a,t) + (j) = Bel{a,t+ 1). 

An AGM-type revision operator can be partially defined in a similar way: 

Bel{a, t) * 4> = {fj : 0 Bel{a, 'tp)(t) A -^Aff{Bel{a, ^/>)(t))}U 
{■0 : 0 [w Bel{a, 4> ip){t + 1)} 
when 0 \si Bel{a,4>)(t + 1) . 
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The assumption that the revision Bel {a, is the only operation which occurs 
at t is captured by the following condition: 

(Uni*) If Bel{a,t) * (j) is defined, then Bel{a,t) * (j> = Bel{a,t+ 1). 



Proposition 10. The belief revision operator defined above satisfies AGM Pos- 
tulates (a)-(f). 

Proof, (a) follows from part (6) of Proposition 5. (b) is straightforward from the 
definitions. For (c), if ^(j) ^ Bel{a,t), by definition, Bel{a,^(j)){f) does not hold. 
Thus, the expansion and revision operations are defined, and (c) follows from 
(Uni+). For (d), we know that if Bel{a, t)*4> is defined, then 0 [a Bel{a, ^)(t+l). 
Thus, (f) G Bel{a, t) * (j). For (e), it follows from Proposition 5 that T G Bel{a, f) * 
(j) is undefined when <j) is inconsistent, hence (e) holds vacuously. For (f), if 
Cn{Bel{a,f)) = Cn{Bel{a' ,t')), then Bel{a,t) = Bel{a',t'). Thus, for any tp, 
Bel{a,tp){t) ^ Bel{a' ,ip){t'). By the definition of the revision operator, we thus 
have Bel{a,t) * 4> = d3el{a' ,t') * (j). □ 

When the appropriate uniqueness assumptions hold our theory can be viewed 
as a realisation of the AGM theory, and when they do not hold our theory can 
be viewed as an extension of it. 

Our theory is also of interest as part of a larger theory of practical reason- 
ing and rationality [2]; in particular, it has been used in the development of a 
common sense theory of the adoption of perception-based beliefs [4] . 

Acknowledgements 

This research forms part of the Ratio Project and is supported by the United 
Kingdom Engineering and Physical Sciences Research Council under grant num- 
ber GR/L34914. 

References 

1. J.Bell. Changing Attitudes. In: M.J. Wooldridge and N.R. Jennings (Eds.). In- 
telligent Agents. Post-Proceedings of the ECAP94 Workshop on Agent Theories, 
Architectures, and Languages. Springer Lecture Notes in Artificial Intelligence, No. 
890. Springer, Berlin, 1995. pp. 40-55. 22 

2. J. Bell. A Planning Theory of Practical Rationality. Proceedings of the AAAI-95 
Fall Symposium on Rational Agency: Concepts, Theories, Models and Applications, 
M.I.T, November 1995, pp. 1-4. 22, 34 

3. J.Bell and Z. Huang. Dynamic Obligation Hierarchies. In P. McNamara and 
H. Prakken (Eds.) Norms, Logics and Information Systems: New Studies in De- 
ontie Logic and Computer Science, los Press, Amsterdam, 1999, pp. 231-246. 22 

4. J. Bell and Z. Huang. Seeing is believing: A common sense theory of the adoption 
of perception-based beliefs. Artificial Intelligence for Engineering Design, Analysis 
and Manufacturing 13, 1999, pp. 133-140. 22, 34 




Dynamic Belief Hierarchies 



35 



5. M. Dummett. The Significance of Quine’s Indeterminacy Thesis. Synthese 27 1974, 
pp. 351-97. 21 

6. P. Gardenfors. Knowledge in Flux; Modeling the Dynamics of Epistemic States. 
MIT Press, Cambridge, Massachusetts, 1988. 22, 32 

7. P. Gardenfors and D. Makinson. Revisions of knowledge systems using epistemic 
entrenchment, in: M. Vardi (ed.). Proceedings of TARK’88, Morgan Kaufmann, 
San Francisco, 1988. pp. 83-95. 22, 32 

8. Z. Huang. Logics for Agents with Bounded Rationality, ILLC Dissertation series 
1994-10, University of Amsterdam, 1994. 22 

9. Z. Huang, M. Masuch and L. Polos. ALX: an action logic for agents with bounded 
rationality. Artificial Intelligence 82 (1996), pp. 101-153. 22 

10. D. Lewis. Counterf actuals, Basil Blackwell, Oxford, 1973. 22, 23 

11. W.V.O. Quine. Two Dogmas of Empiricism. In: From a Logical Point of View. 
Harvard University Press, Cambridge, Massachusetts, 1953. 21 

12. W.V.O. Quine. Word and Object. MIT Press, Cambridge, Massachusetts, 1960. 21 

13. W.V.O. Quine and J.S. Ullian. The Web of belief, Random house. New York, 1970. 
21 

14. Y. Shoham. Reasoning About Change. MIT Press, Cambridge, Massachusetts, 1988. 
30 

15. R.A. Stalnaker. A theory of conditionals. Studies in Logical Theory, American 
Philosophical Quarterly 2 (1968), pp. 9 8-122. 22 

16. G. von Wright. The Logic of Preference, Edinburgh University Press, Edinburgh, 
1963. 22 




Modelling Internal Dynamic Behaviour of BDI Agents 



Frances Brazier^, Barbara Dunin-Keplicz^, Jan Treur', and Rineke Verbrugge' 

^ Vrije Universiteit Amsterdam 

Department of Mathematics and Computer Science, Artificial Intelligence Group 
De Boelelaan 1081a, 1081 HV Amsterdam, The Netherlands 
{frances,treur,rineke}@cs. vu.nl 
http://www.cs.vu.nl 

^ Warsaw University 

Institute of Informatics, ul. Banacha 2, 02-097 Warsaw, Poland 
keplicz@mimuw.edu.pl 



Abstract. A generic model for the internal dynamic behaviour of BDI agents is 
proposed. This model, a refinement of a generic agent model, explicitly specifies 
beliefs and motivational attitudes such as desires, goals, intentions, commitments, 
and plans, and their relations. A formal meta-language is used to represent beliefs, 
motivational attitudes and strategies. Dynamic aspects of reasoning about and 
revision of beliefs and motivational attitudes are modelled in a compositional 
manner within the modelling framework DESIRE. 



1 Introduction 

In the last five years multi-agent systems have been a major focus of research in AT 
The concept of agents, in particular the role of agents as participants in multi-agent 
systems, has been subject to discussion. In (Wooldridge and Jennings, 1995) different 
notions of strong and weak agency are presented. In other contexts big and small 
agents have been distinguished (Velde and Perram, 1996). In this paper, a model for a 
rational agent is proposed: a rational agent described using cognitive notions such as 
beliefs, desires and intentions. 

Beliefs, intentions, and commitments play a crucial role in determining how 
rational agents will act. Shoham defines an agent to be "an entity whose state is 
viewed as consisting of mental components such as beliefs, capabilities, choices, and 
commitments. (...) What makes any hardware or software component an agent is 
precisely the fact that one has chosen to analyze and control it in these mental terms" 
(Shoham, 1993). This definition provides a basis to study, model and specify mental 
attitudes; see (Rao and Georgeff, 1991; Cohen and Levesque, 1990; Shoham, 1991; 
Dunin-Keplicz and Verbrugge, 1996). 

The goal of this paper is to define a generic BDI agent model in the 
compositional multi-agent modelling framework DESIRE. To this purpose, a generic 
agent model is presented and refined to incorporate beliefs, desires and intentions (in 
which intentions with respect to goals are distinguished from intentions with respect 
to plans). The result is a more specific BDI agent in which dependencies between 
beliefs, desires and intentions are made explicit. The BDI model includes knowledge 
of different intention/commitment strategies in which these dependencies are used to 
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reason about beliefs, desires, and intentions, but also to explieitly revise specifie 
beliefs, desires and intentions. 

The main emphasis in this paper is on static and dynamic relations between 
mental attitudes. DESIRE (framework for DEsign and Specification of Interacting 
REasoning components) is a framework for modelling, specifying and implementing 
multi-agent systems, see (Brazier, Dunin-Keplicz, Jennings, and Treur, 1995, 1996; 
Dunin-Keplicz and Treur, 1995). Within the framework, complex processes are 
designed as compositional models consisting of interacting task-based hierarchically 
structured components. Agents are modelled as composed components. The 
interaction between components, and between components and the external world, is 
explicitly specified. Components may be primitive reasoning components using a 
knowledge base, but may also be subsystems capable of performing tasks using 
methods as diverse as decision theory, neural networks, and genetic algorithms. 

In this paper a small, simplified part of an application, namely meeting 
scheduling, is used to illustrate the way in which dependencies and strategies are used 
to model revision. 

The paper is structured in the following manner. In Section 2, a generic 
classification of mental attitudes is presented and a more precise characterization of a 
few selected motivational attitudes is given. Next, in Section 3, the specification 
framework DESIRE for multi-agent systems is characterized. In Section 4 a general 
agent model is described. The framework of modelling motivational attitudes in 
DESIRE is discussed in Section 5. In Section 6 the use of the explicit knowledge of 
dependencies and strategies for belief, intention and commitment revision is 
explained. Finally, Section 7 presents some conclusions and possible directions for 
further research. 



2 Intention and Commitment Strategies 

A number of motivational attitudes, and the static and dynamic relations between 
motivational attitudes and agents' activities, are modelled in this paper. Individual 
agents are assumed to have intentions and commitments both with respect to goals 
and with respect to plans. Joint motivational attitudes and joint actions are not 
discussed in this paper. The following classification of an agent's attitudes is used: 

1 . Informational attitudes 

1 . 1 Knowledge 

1.2 Beliefs 

2. Motivational attitudes 

2. 1 Desires 

2.2 Intentions 

2.2. a Intended goals 

2.2. b Intended plans 

2.3 Commitments 

2.3. a Committed goals 

2.3. b Committed plans 

In this classification the weakest motivational attitude is desire. Desires may be 
ordered according to preferences and they are the only motivational attitudes subject 
to inconsistency. A limited number of intended goals are chosen by an agent, on the 
basis of its (beliefs and) desires. In this paper only achievement goals (and not, for 
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example, maintenance goals) are considered. Moreover, agents are assumed to assure 
consistency of intentions. With respect to intentions, the conditions elaborated in 
(Bratman, 1987; Cohen and Levesque, 1990) are adopted. 

On the basis of intentions, an agent commits to itself to achieve both goals and to 
execute plans. In addition an agent may also make commitments to other agents. Such 
social commitments (Castelfranchi, 1995; Dunin-Keplicz and Verbrugge, 1996) are 
also explicitly modelled. As proposed in (Castelfranchi, 1995), contrary to some other 
approaches, social commitments are stronger than intentions, because the aspects of 
obligation and of interest in the commitment by the other agent are involved. 

After committing to a goal and an associated plan, an agent starts plan 
realization. Knowledge of strategies and dependencies is required to determine in 
which situations an agent drops an intention or commitment, and how. The kind of 
behavior that agents manifest depends on immanent behavioral characteristics and 
environment, including their intention and commitment strategies. As a result 
individual agents may behave differently in analogical situations. In (Rao and 
Georgeff 1991) intention strategies were introduced, which inspired the definition of 
social commitment strategies in (Dunin-Keplicz and Verbrugge, 1996). These 
commitment strategies include the additional aspects of communication and 
coordination. 

In this paper, three commitment strategies are distinguished. The strongest 
commitment strategy is followed by the blindly committed agent, that maintains its 
commitments until it believes they have been achieved, irrespective of changes in its 
own goals and desires, and irrespective of other beliefs with respect to the feasibility 
of the commitment. A single-minded agent may drop commitments when it believes 
they can no longer be attained, irrespective of changes in its goals and desires. 
However, as soon as a single-minded agent abandons a commitment, communication 
and coordination are necessary with agents to whom the single-minded agent is 
committed. An open-minded agent may drop commitments when it believes they can 
no longer be attained or when the relevant goals are no longer desired. 
Communication and coordination with agents to whom the single-minded agent is 
committed, are also performed when commitments are abandoned. 

For simplicity, in this paper each agent is assumed to follow a single commitment 
strategy during the whole process of plan realization. Moreover, it should be stressed 
that commitment strategies are used for both committed goals and committed plans. 



3 A Modelling Framework for Multi-agent Systems 

The compositional BDI model introduced in this paper is based on an analysis of the 
tasks performed by a BDI agent. Such a task analysis results, among others, in a 
(hierarchical) task composition, which is the basis for a compositional model: 
components in a compositional model are directly related to tasks in a task 
composition. Interaction between tasks is modelled and specified at each level within 
a task composition, making it possible to explicitly model tasks which entail 
interaction between agents. The hierarchical structures of tasks, interaction and 
knowledge are fully preserved within compositional models. Task coordination is of 
importance both within and between agents. Below the formal compositional 
framework for modelling multi-agent tasks DESIRE is briefly infroduced, in which 
fhe following aspects are modelled and specified (for more details, see (Brazier, 
Dunin-Keplicz, Jennings, Treur, 1997)): 
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(1) a task composition, 

(2) information exchange, 

(3) sequencing of tasks, 

(4) task delegation, 

(5) knowledge structures. 



3.1 Task Composition 

To model and specify composition of tasks, knowledge of the following types is 
required: 

• a task hierarchy, 

• information a task requires as input, 

• information a task produces as a result of task performance 

• meta-object relations between tasks 

Within a task hierarchy composed and primitive tasks are distinguished: in contrast to 
primitive tasks, composed tasks consist of a number of other tasks, which, in turn, 
may be either composed or primitive. Tasks are directly related to components: 
composed tasks are specified as composed components and primitive tasks as 
primitive components. 

Information required/produced by a task is defined by input and output 
signatures of a component. The signatures used to name the information are defined 
in a predicate logic with a hierarchically ordered sort structure (order-sorted predicate 
logic). Units of information are represented by the ground atoms defined in the 
signature. 

The role information plays within reasoning is indicated by the level of an atom 
within a signature: different (meta)levels may be distinguished. In a two-level 
situation the lowest level is termed object-level information, and the second level 
meta-level information. Meta-level information contains information about object- 
level information and reasoning processes; for example, for which atoms the values 
are still unknown (epistemic information). Similarly, tasks which include reasoning 
about other tasks are modelled as meta-level tasks with respect to object-level tasks. 
Often more than two levels of information and reasoning occur, resulting in meta- 
meta-... information and reasoning. 



3.2 Information Exchange between Tasks 

Information links between components are used to specify information exchange 
between tasks. Two types of information links are distinguished: private information 
links and mediating information links. For a given parent component, a private 
information link relates output of one of its components to input of another, by 
specifying which truth value of a specific output atom is linked with which truth 
value of a specific input atom. Atoms can be renamed: each component can be 
specified in its own language, independent of other components. In a similar manner 
mediating links transfer information from the input interface of the parent component 
to the input interface of one of its components, or from the output interface of one of 
its components to the output interface of the parent component iteself Mediating 
links specify the relation between the information at two adjacent levels in the 
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component hierarchy. The conditions for activation of information links are explicitly 
specified as task control knowledge. 



3.3 Sequencing of Tasks 

Task sequencing is explicitly modelled within components as task control knowledge. 
Task control knowledge includes not only knowledge of which tasks should be 
activated, when and how, but also knowledge of the goals associated with task 
activation and the extent to which goals should be derived. These aspects are 
specified as component and link activation together with task control foci and extent 
to define the component's goals. Components are, in principle, black boxes to the task 
control of an encompassing component: task control is based purely on information 
about the success and/or failure of component reasoning. Reasoning of a component 
is considered to have been successful with respect to an evaluation criterion if it has 
reached the goals specified by this evaluation criterion to the extent specified (e.g., 
any or every). 



3.4 Delegation of Tasks 

During knowledge acquisition a task as a whole is modelled. In the course of the 
modelling process decisions are made as to which tasks are (to be) performed by 
which agent. This process, which may also be performed at run-time, results in the 
delegation of tasks to the parties involved in task execution. In addition to these 
specific tasks, often generic agent tasks, such as interaction with the world 
(observation) and other agents (communication and cooperation) are assigned. 



3.5 Knowledge Structures 

During knowledge acquisition an appropriate structure for domain knowledge must 
be devised. The meaning of the concepts used to describe a domain and the relations 
between concepts and groups of concepts, are determined. Concepts are required to 
identify objects distinguished in a domain (domain-oriented ontology) , but also to 
express the methods and strategies employed to perform a task (task-oriented 
ontology). Concepts and relations between concepts are defined in hierarchies and 
rules based on order-sorted predicate logic. In a specification document references to 
appropriate knowledge structures (specified elsewhere) suffice; compositional 
knowledge structures are composed by reference to other knowledge structures. 
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4 Global Structure of a Generic Agent 

To model an agent capable of reasoning about its own tasks, processes and plans, its 
knowledge of other agents, its communication with other agents, its knowledge of the 
world and its interaction with the world, a generic agent architecture has been devised 
in which such types of reasoning are transparently allocated to specific components of 
an agent (see (Brazier, Jonker and Treur, 1997)). 

This generic architecture can be applied to different types of agents. In this paper 
this architecture is refined to model a rational agent with motivational attitudes: other 
architectures are more applicable for other types of agents. The generic architecture is 
described in this section, while the refined BDI architecture is the subject of Section 
5. 

Four of the five types of knowledge distinguished above in Section 3 are used to 
describe this generic architecture: task composition, information exchange, 
sequencing of tasks and knowledge structures. Within an individual agent, task 
delegation is trivial. 



4.1 Task Composition 

As stated above an agent needs to be capable of reasoning about its own processes, its 
own tasks, other agents and the world. In other words, an agent needs to be capable of 
six tasks: 

(1) controlling its own processes, 

(2) performing its own specific tasks, 

(3) managing its interaction with the world (observation, execution of actions), 

(4) managing its communication with other agents, 

(5) maintaining information on the world, and 

(6) maintaining information on other agents. 



4.2 Information Exchange 

Information links are defined for the purpose of information exchange between 
components. The component agent_interaction_management receives information from, 
and sends information to, other agents. The component world_interaction_management 
on the other hand exchanges information with the external world. Both components 
also exchange information with the component own_process_control. Which 
information is required by an agent specific task depends on the task itself and 
therefore cannot be predefined. To fully specify the exchange of information, a more 
specific analysis of the types of information exchange is required. In Figure I, a 
number of information links defined for information exchange at the top level of the 
agent, are shown together with the names of the components they connect. 
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Link name 



From component 



To component 



import_worid_info 

export_worid_info 

t ra n sfe r_co m m_wo rl d_i nf o 

provide_world_state_info 

import_agent_info 

export_planned_comm 

provide_agent_info 

transfer_committed_acts&obs 

transfer_agent_commitments 

transfer_planned_comm 



agent (input interface) 

world_interaction_management 

agent_interaction_management 

world_interaction_management 

agent (input interface) 

agent_interaction_management 

agent_interaction_management 

own_process_control 

own_process_control 

own_process_control 



world_interaction_management 

agent (output interface) 

maintenance_of_world_information 

own_process_control 

agent_interaction_management 

agent (output interface) 

own_process_control 

world_interaction_management 

agent_interaction_management 

agent_interaction_management 



Fig. 1. Links for information exchange at the top level of an agent 



In Figure 2 a graphical representation of the generic architecture for an agent is 
shown; in this figure a number of the information links and the components they 
connect, are depicted. 




Fig. 2. Top level composition and information links of a generic agent 
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4.3 Task Sequencing 

Minimal task control has been modelled and specified for the top level of the generic 
agent. Task control knowledge specifies that all generic components and links are 
initially awakened. The awake status specifies that as soon as new information 
arrives, it is processed. This allows for parallel processing of information by different 
components. The links which connect an agent to other agents are activated by the 
agents from which they originate. Global task control includes specifications such as 
the following rule: 

If start 

then next_component_state(own_process_control, awake) 

and next_component_state{world_interaction_management, awake) 

and next_component_state{agent_interaction_management, awake) 

and next_link_state(import_agent_info, awake) 

and next_link_state(export_agent_info, awake) 

and next_link_state(import_world_info, awake) 

and next_!ink_state(export_world_info, awake) 

and next_link_state(transfer_comm_worid_info, awake) 



4.4 Knowledge Structures 

Generic knowledge structures are used within the specification of a generic agent, a 
number of which have been shown above. In the following section more detailed 
examples of specifications of knowledge structures will be shown for a rational agent 
with motivational attitudes. 



4.5 Building a Real Agent 

Each of the six components of the generic agent model presented above can be 
refined in many ways, resulting in models of agents with different characteristics. 
(Brazier, Jonker and Treur, 1996) describe a model of a generic cooperative agent, 
based on the generic agent model and Jenning's model of cooperation, see (Jennings, 
1995). In (Brazier and Treur, 1996) another refinement of the generic agent model is 
proposed for reflective agents capable of reasoning about their own reasoning 
processes and other agents' reasoning processes. In the following section a 
refinement of the component own_process_control is presented in which motivational 
attitudes (including beliefs, desires and intentions) play an important role. 



5 A Model for Rational Agents with Motivational 
Attitudes 

The generic model and specifications of an agent described above, can be refined to a 
generic model of a rational BDI agent capable of explicit reasoning about its beliefs, 
desires, intentions and commitments. First, some of the assumptions behind the model 
are discussed (Section 5.1). Next the specification of the model is presented for the 
highest level of abstraction (in Section 5.2 and 5.3), and for the more specific levels 
of abstraction (Section 5.4). 
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5.1 Rational Agents with Motivational Attitudes 

Before presenting the model, some of the assumptions upon which this model is 
based, are described. Agents are assumed to be rational: they must be able to 
generate goals and act rationally to achieve them, namely planning, replanning, and 
plan execution. Moreover, to fully adhere to the strong notion of agency, an agent's 
activities are described using mentalistic notions usually applied to humans. This does 
not imply that computer systems are believed to actually "have" beliefs and 
intentions, but that these notions are believed to be useful in modelling and specifying 
the behaviour required to build effective multi-agent systems (see, for example, 
(Dennett, 1987) for a description of the "intentional stance"). 

A first assumption is that motivational attitudes, such as beliefs, desires, 
intentions and commitments are defined as reflective statements about the agent itself 
and about the agent in relation to other agents and the external world. These reflective 
statements are modelled in DESIRE in a meta-language, which is order sorted 
predicate logic. Functional or logical relations between motivational attitudes and 
between motivational attitudes and informational attitudes are expressed as meta- 
knowledge, which may be used to perform meta-reasoning resulting in further 
conclusions about motivational attitudes. For example, in a simple instantiation of the 
model, beliefs can be inferred from meta-knowledge that any observed fact is a 
believed fact and that any fact communicated by a trustworthy agent is a believed 
fact. 

A second assumption is that information is classified according to its source'. 
internal information, observation, communication, deduction, assumption making. 
Information is explicitly labeled with these sources. Both informational attitudes 
(such as beliefs) and motivational attitudes (such as desires) depend on these sources 
of information. Explicit representations of the dependencies between attitudes and 
their sources are used when update or revision is required. 

A third assumption is that the dynamics of the processes involved are explicitly 
modelled. For example, a component may be made awake from the start, which 
means that it always processes incoming information immediately. If more 
components are awake, their processes will run in parallel. But, if tasks depend on 
each other, sequential activation may be preferred. Both parallel and sequential 
activation may be specified explicitly. If required, update or revision takes place and 
is propagated through different components by active information links. 

A fourth assumption is that the model presented below is generic, in the sense 
that the explicit meta-knowledge required to reason about motivational and 
informational attitudes has been left unspecified. To tune the model to a given 
application this knowledge has to be added. In this paper, examples of the types of 
knowledge are given for the purpose of illustration. 

A fifth assumption is that intentions and commitments are defined with respect to 
both goals and plans. An agent accepts commitments towards itself as well as 
towards others (social commitments). In this paper, an agent determines which goals 
it intends to fulfill, and commits to a selected subset of these goals. Similarly, an 
agent determines which plans it intends to perform, and commits to a selected subset 
of these plans. 

Most reasoning about beliefs, desires, and intentions can be modelled as an 
essential part of the reasoning an agent needs to perform to control its own processes. 
A refinement of the generic component own_process_control described in Section 4 is 
presented below. 
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5.2 A Refined Model of Own Process Control 

Finally, to design a BDI agent, the component own_process_control is refined. The 
component own_process_control is composed of three components, which reason about: 

(1) the agent's beliefs 

(2) its desires 

(3) its intentions and commitments with respect to both goals and plans. 

The extended task hierarchy for a BDI agent is shown in Figure 3. The component 
belief_determination performs reasoning about relevant beliefs in a given situation. In 
the component desire_determination an agent determines which desires it has, related to 
its beliefs. Intended and committed goals and plans are derived by the component 
intention_and_commitment_determination. This component first determines the goals 
and/or plans it intends to pursue before committing to the specific selected goals 
and/or plans. All three components are further refined in Section 5.4. 



own process control 




belief determination desire determination intention and commitment 

determination 




goal determination 




intended goal committed goal 

determination determination 



plan determination 




intended plan committed plan 

determination determination 



Fig. 3. Task hierarchy of own process control within a BDI agent 



In the model, beliefs and desires influence each other reciprocally. Furthermore, 
beliefs and desires both influence intentions and commitments. This is explicitly 
modelled by information links between the components and meta-knowledge within 
each of the components. 

In Figures 4.1 and 4.2, the composition of own_process_control is shown, together 
with the exchange of information. This is specified in DESIRE graphically as in 
Figure 4.1. 




46 



Frances Brazier et al. 





Fig. 4.1. Refinement of own process control within the BDI agent 
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Fig. 4.2. Further refinement of goal determination and plan determination 



Task control knowledge of the component own_process_control determines that: 

(1) initially all links within the component own_process_control are awakened, and the 
component belief_determination is activated, 

(2) once the component belief_determination has succeeded in reaching all possible 
conclusions (specified in the evaluation criterion goals) desire_determination is activated 
and belief_determination is made continually active (awake), 

(3) once the component desire_determination has succeeded in reaching all possible 
conclusions (specified in the evaluation criterion desires), the component intention_and 
commitment_determination is activated and desire_determination is made continually 
active (awake). In addition, the desires in which the agent may want to believe 
(wishful thinking) are transferred to the component belief_determination. 

Task control of the component intention_and_commitment_determination, in turn, is 
described in Section 5.4.3. 
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5.3 The Global Reasoning Strategy 

The global reasoning strategy specified by task control knowledge in the model is that 
some chosen desires (depending on knowledge in the component 
intended_goal_determination, existing beliefs and specific agent characteristics) become 
intentions, and some selected intentions (depending on knowledge in the component 
committed_goal_determination and specific agent characteristics) are translated into 
committed_goals to the agent itself and to other agents. The agent then reasons about 
ways to achieve the committed_goals on the basis of knowledge about planning in the 
component committed_plan_determination, resulting in the construction of a 
committed_plan. This plan is transferred to one or more of the other high-level 
components of the agent (depending on the plan in question), namely 
world_management, agent_management, and agent_specific_tasks, to be executed. 



5.4 Further Refinement of Components 

In the previous two sections the model for reasoning about motivational attitudes was 
described in terms of the three tasks within the component own_process_control and 
their mutual interaction. In this section each of the tasks themselves is described in 
more detail. 

5.4.1 Belief Determination 

The task of belief determination requires explicit meta-reasoning to generate beliefs. 
The specific knowledge used for this purpose obviously depends on the domain of 
application. The adopted model specifies meta-knowledge about beliefs based on six 
different sources: 



(1) internal beliefs of an agent 

Internal beliefs are beliefs which an agent inherently has, with no further indication of 
their source. They can be expressed as meta-facts of the form 
internal_belief{X:Statement), meaning that X:Statement is an internal belief These meta- 
facts can be specified as initial facts or be inferred from other internal meta- 
information. By meta-knowledge of the form 

if internal_belief(X:Statement) then belief(X:Statement) 

beliefs can be derived from the internal beliefs. 

(2) beliefs based on observations 

Beliefs based on observations are acquired on the basis of observations of the world, 
either at a particular moment or over time. Simple generic meta-knowledge can be 
used to derive such beliefs: 

if observed_world_fact(X:Statement) then belief(X:Statement). 

(3) beliefs based on communication with other agents 

Communication with other agents may, if agents are considered trustworthy, result in 
beliefs about the world or about other agents. Generic meta-knowledge that can be 
used to derive such beliefs is: 
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if communicated_fact_by(X:Statement, A:Agent) and trustworthy(A:Agent) 
then belief{X:Statement) 

(4) beliefs deduced from other beliefs 

Deduction from other beliefs can be performed by means of an agent's own (domain- 
dependent) knowledge of the world, of other agents and of itself 

(5) beliefs based on assumptions 

Beliefs based on assumptions may be derived from other beliefs (and/or from 
epistemic information on the lack of information) on the basis of default knowledge, 
knowledge about likelihood, et cetera. For example, a default rule (a : b) / c can be 
specified as meta-knowledge (e.g. according to the approach described by (Tan and 
Treur, 1992)). 

(6) beliefs based on desires 

In the case of wishful thinking beliefs may be implied by generated desires. For 
example, as an extreme case, a strongly wishful-thinking agent may have the 
following knowledge in belief_determination: 

if not belief(not(X:Statement) ) and desired(X:Statement) then belief(X:Statement) 



A more sophisticated model to generate beliefs can also keep track of the source of a 
belief This can be specified in the meta-language by adding labels to beliefs 
reflecting their source, for example by belief(X:Statement, L:Label). Here the label L:Label 
can denote a single source, such as observed, or communicated_by(A:Agent), but if beliefs 
have been combined to generate other beliefs, also combined labels can be generated 
as more complex term structures, expressing that a belief depends on a number of 
sources. 

Another aspect of importance is the omniscience problem (Fagin et al., 1995), 
which requires the control of the belief generation process. In practical reasoning 
processes, only those beliefs are generated that are of specific interest. Specific 
solutions to the omniscience problem may be modelled explicitly within this 
component. 

5.4.2 Desire Determination 

Desires can refer to a (desired) state of affairs in the world (and the other agents), but 
also to (desired) actions to be performed. Often, desires are influenced by beliefs. 
Because beliefs can be based on their source, as discussed in Section 5.4.1, desires 
can inherit these sources. In addition, desires can have their own internal source, for 
example desires can be inherent to an agent. Knowledge on how desires are generated 
is left unspecified in the generic model. 

5.4.3 Intention and Commitment Determination 

Intended and committed goals and plans are determined by the component 
intention_and_commitment_determination; this component is composed of the component 
goal_determination and plan_determination. Each of these two components first 
determines the intended goals and/or plans it wishes to pursue before committing to a 
specific goal and/or plan. 

In the component goal_determination commitments to goals are generated in two 
stages. In the component intended_goal_determination, based on beliefs and desires, but 
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also on preferences between goals, specific goals become intended goals. Different 
agents have different strategies to choose which desires will become intentions. For 
example: 

• some (eager) agents may choose a desire as an intention as soon as it is consistent 
with their previously established intended goals; 

• others (socially complying agents) may select an intention when it is one of their 
desires which is an intention of other agents with which they automatically comply; 

• and still others (apathetic agents) may select no intentions at all. 

These differences in agent characteristics can be expressed in the (meta-)knowledge 
specified for intended_goal_determination. For each intended goal a condition (in the 
form of not inadequate_intended_goal(X:Statement)) is specified that expresses the 
adequacy of the goal, i.e., that the goal is not subject to revision. As soon as it has 
been established that the intention has to be dropped, the intended goal becomes 
inadequate, so this condition no longer holds, which in turn leads to the retraction of 
the intended goal on the basis of the revision facilities built-in in the semantics and 
execution environment of DESIRE. 

In the component committed_goal_determination a number of intended goals are 
selected to become goals to which the agent commits; again, different agents have 
different strategies to select committed goals, and these different strategies can be 
expressed in the (meta-)knowledge specified for the component 
committed_goal_determination. The committed goals are transferred to the component 
plan_determination. In a manner similar to intended goal determination, the knowledge 
specified for the component committed_goals includes a condition 
inadequate_committed_goal(X:Statement) that plays a role in revision. 

In the component plan_determination commitments to goals are analysed and 
commitments to plans are generated in two stages. In the component 
intended_plan_determination plans are generated dynamically, combining primitive 
actions and predefined plans known to the agent (stored in an implementation, for 
example, in a library). On the basis of knowledge of the quality of plans, committed 
goals, beliefs and desires, a number of plans become intended plans. The component 
committed_plan_determination determines which of these plans should actually be 
executed. In other words, to which plans an agent commits. If no plan can be devised 
to reach one or more goals to which an agent has committed, this is made known to 
the component goal_determination. If a plan has been devised, execution of a plan 
includes determining, at each point in time, which actions are to be executed. During 
plan execution, monitoring information can be acquired by the agent through 
observation and/or communication. Plans can be adapted on the basis of observations 
and communication, but also on the basis of new information on goals to which an 
agent has committed. If, for example, the goals for which a certain plan has been 
devised, are no longer relevant, and thus withdrawn from an agent's list of committed 
goals, it may no longer make sense to execute this plan. 
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6 Modelling Commitment Strategies 



Specifications in DESIRE define in a declarative manner the behaviour of a multi- 
agent system with respect to their integrated reasoning processes and acting processes 
(observing, communicating, executing actions in the world). Characteristic to this 
approach to modelling multi-agent systems is that strategies, revision, and the 
integration of communication, observation and action in the reasoning process, are 
explicitly modelled and specified. 



6.1 Specification of Commitment Strategies 

After plan construction, the phase of plan realization starts. During this phase, all 
components of own_process_control are continually awake, so that any revision of an 
agent's informational and motivational attitudes is propagated immediately by transfer 
of the new information through links to other components. The fact that both 
information links and components are always awake ensures that this happens without 
further explicit specification of activation. Thus, new information is not necessarily 
expected at specific points in the process. 

In our model, the crucial difference between the three kinds of agents, defined 
according to their commitment strategies as discussed in Section 2, manifests itself in 
their reaction to different kinds of information received through different links. For 
all types of agents final revision of commitments takes place in the component 
intention_and_commitment_determination, namely in the components 

committed_goal_determination and committed_plan_determination. These are the 
components in which the knowledge about different commitment strategies resides. 

To be more specific, the blindly committed agent only drops a committed_goal as a 
reaction to the receipt of information that the relevant goal has been realized. This 
information is transferred from the component belief_determination through the link 
transfer_belief_info_for_id, which in turn receives it through the link 
import_ws_info_for_bd, from the higher level components world_management and 
possibly from the component agent_specific_tasks. Some of the relevant generic 
knowledge present in the component committed_goal_determination is the following: 

if own_commitment_strategy(blind) and goal_reached(X:Statement) 

then to_be_dropped_committed_goal(X:Statement) 

If this rule succeeds, an information link from committed_goal_determination to itself 
transfers the conclusion to_be_dropped_committed_goal(X:Statement) to update the atom 
inadequate_committed_goal(X:Statement) to true, which, in turn leads to the retraction of 
the committed goal, as described in Section 5.4.3. For simplicity these update links 
have not been depicted in Figure 4. 

The single-minded agent, in addition, drops a committed_goal as a reaction to the 
information that the relevant goal can no longer be realized. This information is 
transferred from the component belief_determination. The knowledge present in the 
component committed_goal_determination includes the following: 



if own_commitment_strategy(single_minded) and goal_reached{X:Statement) 
then to_be_dropped_committed_goal(X:Statement) 
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if own_commitment_strategy(single_minded) and goal_not_achievable(X:Statement) 
then to_be_dropped_committed_goal(X:Statement) 

The information goal_not_achievable(X:Statement), in turn, may depend on beliefs. In the 
first case the information may be transferred through the link import_ws_info_for_bd, 
from the higher level component world_management. In the second case plan revision 
is involved. In either case the relevant committed_plan is dropped using knowledge in 
the component committed_plan_determination: 

if own_commitment_strategy(single_minded) and plan_not_achievable(X: plan) 
then to_be_dropped_committed_plan(X: plan) 

Next, in the second case, in order to check whether the relevant goal is achievable, the 
component plan_determlnation tries to design a plan. If this component succeeds in 
designing a new plan, this plan is adopted, and the original goal is maintained. If not, 
the component comes to the conclusion (based on exhaustive search) that no new plan 
can be designed. The component committed_goal_determlnation derives that the original 
goal must be retracted. Information specifying the success or failure of the design of a 
new plan is transferred from the component plan_determination to the component 
committed_goal_determlnation. 

The open-minded agent, finally, in addition to the reasons adopted by the blindly 
committed agent and the single-minded agent, also drops a committed_goal in reaction 
to information that the goal is no longer desired, received from the component 
deslre_determinatlon through the link transfer_deslre_info_for_ld. The knowledge included 
in the component committed_goal_determinatlon includes the following: 

if own_commitment_strategy(open_minded) and goal_reached{X:Statement) 
then to_be_dropped_committed_goal(X:Statement) 

if own_commitment_strategy(open_minded) and goal_not_achlevable(X:Statement) 
then to_be_dropped_committed_goal{X:Statement) 

if own_commitment_strategy(open_mlnded) and goal_not_desired(X:Statement) 
then to_be_dropped_committed_goal{X:Statement) 

In the last case the desire may have been dropped for many different reasons, not to 
be elaborated in this paper. 

For all three agents, the stage of dropping a committed goal and/or a committed 
plan is followed by communication to the relevant agents. After this, a new 
committed goal should be established in the component 
intention and commitment determination. 



6.2 An Example: Meeting Scheduling 

To illustrate the use of explicit knowledge of dependencies and strategies for belief, 
intention and commitment revision, within the BDI model (specified within the 
DESIRE framework), a small, simplified example of an application, namely meeting 
scheduling, is described. 
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Three agents Al, A2 and A3 all believe that a meeting is required, and that their 
presence at this meeting is desired. They also believe that all three agents' presence is 
required. As agreement has been reached on a specific time slot, they all have an 
additional desire, namely to be at a meeting at the specific time slot. 

The goal to be at a meeting in general, and at the specific meeting in particular, 
has been adopted by all three agents as an intended and committed goal. To 
accomplish this goal they all intend, and have committed to a plan to be at the specific 
meeting. In this example all three agents are single-minded. Below, the revision of 
attitudes is described from the point of view of A3. Agent Al discovers that agent A2 
is no longer available at the given time slot for the meeting. 

Communication is required: 

Agent Al informs agent A3 of this fact. 

As agent A3 believes that information Al conveys is true, agent A3 also believes that 
agent A2 is no longer available. 

Belief revision: 

Given this new belief, agent A3 realizes that a prerequisite for the meeting (namely 
that all three participants' presence is required) no longer holds, and that the meeting 
can not be held as planned. 

Dropping of committed goal: 

As A3 is a single-minded agent, it is now allowed to drop its committed goal and the 
associated committed plan of meeting at the specific meeting. 

Desire revision: 

The desire to hold a meeting remains. The desire to hold the specific meeting is 
retracted. 

Intention and commitment revision: 

Agent A3's intention and commitment to the general goal of holding a meeting with 
the three other agents, still holds. Its intention and commitment to the goal of holding 
the specific meeting are retracted. 

The intention and commitment to the plan for the specific meeting are also retracted. 

The stage Dropping of committed goal follows the specification for single-minded 
agents elaborated in Section 6.1; the other stages can be described similarly (see 
(Brazier, Dunin-Keplicz, Treur and Verbrugge, 1997) for an extended specification). 
In the example above, both committed and intended goals are dropped during 
intention and commitment revision. However, there are examples in which a 
committed goal is retracted while the corresponding intended goal remains; for 
example, a single-minded agent may become ill and retract its commitment to be 
present at the meeting, while still keeping its intention to be there (hoping to have 
recovered before the meeting). 




54 



Frances Brazier et al. 



7 Discussion and Conclusions 

In this paper a generic model for a rational BDI agent with explicit knowledge of 
dependencies between motivational attitudes has been modelled in DESIRE. The 
BDI model also includes knowledge of different commitment strategies in which 
these dependencies are used to reason about beliefs, desires and intentions, but also to 
explicitly revise specific beliefs, desires and/or intentions. Communication, action 
and observation may influence an agent's beliefs, desires, goals and plans 
dynamically. 

The formal specification in DESIRE provides a bridge between logical theory, 
e.g. (Rao and Georgeff, 1991) and practice of BDI agents. Another bridge is 
described in (Rao, 1996), in which the operational semantics of a language 
corresponding to the implemented system dMARS, are formalized. Our model, in 
contrast, emphasizes the analysis and design methods of BDI systems, as do the 
architectures of (Jennings, 1995; Kinny, Georgeff and Rao, 1996). However, there are 
differences as well: our specification is more formal than Jennings' specification in 
(Jennings, 1995). DESIRE has a logical basis for which a temporal semantics has 
been defined (Brazier, Treur, Wijngaards and Willems, 1995). In contrast to the BDI 
architecture described in (Kinny, Georgeff and Rao, 1996), in our approach dynamic 
reasoning about beliefs, desires and goals, during plan execution, may lead to the 
construction of a (partially) new plan. This is partly caused by the parallel nature of 
specific reasoning processes in this model, but is also a consequence of the nature of 
explicit strategic knowledge of commitment strategies in the model. Strategic 
knowledge is used to revise, for example, beliefs, but also to revise intentions and 
commitments to goals and plans, during a dynamic process. Revisions are propagated 
by transfer of updated information on beliefs, desires and intentions to the 
components that need the information: components that reason about beliefs, desires, 
intentions, goals and plans. 

The nature of continual activation of components and links makes it possible to 
transfer updated or new beliefs "automatically" to the relevant components. (The 
compositional revision approach incorporated in DESIRE is discussed in more depth 
in (Pannekeet, Philipsen and Treur, 1992)). In the paper the example of new 
information received from another agent, which may influence beliefs on which a 
goal has been chosen, is used to illustrate the effect this may have on the execution of 
a plan. Retraction of beliefs may lead to retraction of a number of goals that were 
based on these beliefs, which in turn may lead to retraction of a commitment to these 
goals. If the belief is the basis for a commitment to a plan, retraction of the belief may 
result in the retraction of the commitment to the plan and thus to its execution. 

The DESIRE framework provides support in distinguishing the types of 
knowledge required to model rational agents based on mental attitudes. An existing 
agent architecture provided the basis for the model and the specification language 
provided a means to express the knowledge involved. By declaratively specifying 
task control knowledge and information exchange for each task, the dynamic process 
of revision has been explicitly specified. 

The model as such provides a basis for further research: within this model more 
specific patterns of reasoning and interaction can be modelled and specified. 
Maintenance goals can be considered, joint commitments and joint actions can be 
modelled, more extensive communication patterns between agents can be analysed 
and represented, relative importance of intentions can be expressed, et cetera. 
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In contrast to general purpose formal specification languages such as Z and 
VDM, DESIRE is committed to well-structured compositional models. Such models 
can be specified in DESIRE at a higher level of conceptualisation than in Z or VDM 
and can be implemented automatically through use of automated implementation 
generators. 
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Abstract. Objects in information systems usually have a very long life- 
span. Therefore, it often happens that during the life of an object ex- 
ternal requirements are changing, e.g. changes of laws. Such changes 
often require the object to adopt another behavior. In consequence, it is 
necessary to get a grasp of dynamically changing object behavior. Un- 
fortunately, not all possible changes can in general be taken into account 
in advance at specification time. Hence, current object specification ap- 
proaches cannot deal with this problem. Flexible extensions of object 
specification are needed to capture such situations. 

The approach we present and discuss in this paper is an important step 
towards a specification framework based on the concept of agents by in- 
troducing a certain form of knowledge as part of the internal state of ob- 
jects. Especially, we concentrate on the specification of evolving temporal 
behavior. For that, we propose an extension (called Evolving Temporal 
Logic) of classical temporal logic approaches to object specification. 
Keywords: Modeling information systems, agent-oriented specification, 
dynamically changing behavior, evolving temporal logic. 



1 Introduction 

Currently, nearly every enterprise or organization has to face the situation that 
in order be competitive the use of modern information systems is indispensable. 
Considering the frequent and dramatic changes in the international economy 
and politics, there is clear demand for advanced information systems which are 
able to deal with highly dynamic environments, e.g. rapidly changing markets, 
increasing (world-wide) competition, and new trade agreements as well as (in- 
ter)national laws. In the recent years, there are obvious efforts in several com- 
puter science communities to build cooperative intelligent information systems 
which can deal with such aspects (see for example [HPS93]). 

Today, object-oriented techniques are in general used for modeling such ad- 
vanced information systems [Buc91,Bro92]. Most of the existing object-oriented 
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approaches are successful in capturing the properties and behavior of the real- 
world entities. However, it seems that the concept of “object” (at least in its 
current understanding) cannot cover all aspects of modern information systems. 
Whereas structural aspects of such systems can easily be dealt with by cur- 
rent object-oriented approaches, these approaches succeed to cope with dynamic 
behavior only up to a certain degree. 

Typically, information system objects have a longer life-span than application 
programs, environmental restrictions, etc. Therefore, we need a semantic model 
where the behavior specification of an object or object system may be modified 
during its existence, which is not expressible in current formalisms underlying 
traditional (object-oriented) specification languages until now. 

The concept of agent [WJ95,GK94] which can be seen as a further develop- 
ment of the concept of object seems to provide a more adequate basis for mod- 
eling such information system dynamics. In comparison to traditional objects, 
agents are flexible in that sense they may change their behavior dynamically 
during system run-time, i.e. the behavior of an agent is not (or can not be) com- 
pletely determined at compile or specification time. In order to get a grasp of 
such properties, we need an agent-oriented specification framework which goes 
beyond the existing object-oriented ones. 

Therefore, we propose and discuss several extensions for object specification 
languages. These extensions are intended to be first steps towards an own agent- 
oriented specification framework. For that, we present a first formalization based 
on an extended temporal logic. 

The remainder of this paper is organized as follows. Section 2 starts with a 
brief presentation of current object specification technology for modeling infor- 
mation systems. Further, we introduce the concept of agent as a further evolution 
of the concept of object. In Section 3, we propose first extensions of existing ob- 
ject specification languages for capturing dynamically changing behavior. An 
extended temporal logic, called Evolving Temporal Logic, as formal basis is 
sketched in Section 4. Finally, we conclude by summarizing and pointing out 
future work. 



2 Prom Object Specification to Agent Design 



In the recent years, object-oriented conceptual modeling of information systems 
has become a widely accepted approach. Meanwhile, there exists a lot of object- 
oriented models and specification languages (e.g. Oblog [SSE87,SSG+91], LGM 
[FW93] or Troll [HSJ+94,JSHS96,SJH93]) proposed for those purposes. In this 
section, we briefly recall the basic ideas of the concept of object, whereby we 
base our presentation on the object model as introduced in [SSE87]. 

Basically, objects are characterized as coherent units of structure and behav- 
ior. An object has an internal state of which certain properties can be observed. 
The internal state can be manipulated explicitly through a properly defined 
event interface. Objects can be considered as observable processes. Attributes 
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are the observable properties of objects which may only be changed by event 
occurrences. 

The behavior of objects are described by life eycles (or traces), which are built 
from sequences of (sets of simultaneously occurring) events. Thus, each object 
state is completely characterized by a life cycle prefix (or event snapshot), which 
determines the current attribute values. The possible evolution of objects can be 
restricted by a set of state constraints which can be used to define the admissible 
state transitions for an object. 

For textual presentation of object specifications, we use a notation close to 
the syntactical conventions of the object-oriented specification language Troll. 
In Figure 1 we introduce an example of a Troll specification. For the purposes 
of this paper, we have chosen a small universe of discourse (UoD) consisting of 
one or more account objects. Here, we assume an account to have an (unique) 
account number, a bank by which it is managed, a holder, a balance, and a limit 
for overdrawing. Moreover, we specify some basic events like opening an account, 
withdrawing money from or depositing money to an account. 



object class Account 

identification ByAccountID: 



attributes 



No: 



(Bank, No) ; 
nat constant; 



events 



Bank : 


1 Bank 


; 






Holder : 


1 Customer I ; 






Balance : 


money 


initialized 


0.00; 




Limit : 


money 


initialized 


0 . 00 restricted >= - 


Counter : 


nat initialized 0, 






Open (BID: I Bank I , 


AccNo : nat , 


AccHolder 


: 1 Customer I ) 


birth 




changing 


Bank : 


= BID, 








No : 


= AccNo, 








Holder : 


= AccHolder; 




Withdraw (W : money) 


enabled 


Balance 


- Limit >= W 






changing 


Balance 


:= Balance - 


W; 




calling 


IncreaseCounter ; 




Deposit (D :money) 


changing 


Balance 


:= Balance + 


D; 




calling 


IncreaseCounter ; 




IncreaseCounter 


changing 


Counter 


:= Counter + 


1; 


Close death; 











-5000.00; 



end object class Account ; 



Fig. 1. Troll specification of an Account class. 



In TROLL-like languages, an object template specification mainly consists out of 
two parts: a signature section which lists object events and attributes together 
with parameter and co-domain types, and a behavior section containing the 
axioms. As axioms we do not have general temporal logic formulas but special 
syntactic notations for typical specification patterns. 
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In the declaration section for events, we mark some events as birth events or 
as death events corresponding to creation and destruction of objects, e.g. Open 
and Close. The occurrence of events can be restricted by enabling conditions, 
which are formulae built over attributes and event parameters. In connection 
with temporal quantifiers these conditions may refer to object histories. Changes 
of attribute values are caused by event occurrences, i.e. the event Withdraw 
decreases the balance of an account. 

The allowed values for object attributes may also be restricted, e.g. we may 
constrain the credit limit to maximal 5000.00. Interactions inside (composite) 
objects are expressed by the event calling mechanism, e.g. a withdrawal event en- 
forces the event IncreaseCounter to occur simultaneously. Similar to attribute 
valuations, conditional event calling is supported, too. 

The object specification concepts presented so far have a major drawback: 
they succeed in capturing dynamic behavior ( of information systems ) only up to 
a certain degree. Indeed, languages like Troll or Oblog are expressive enough 
to model even changing object behavior depending on state changes, but these 
modifications have to be fixed during specification time, e.g. before object creation. 
But, this is too restrictive for handling object evolution in information systems. 
Typically, information system objects are characterized by long life-spans. 

Usually, during that long time-span an object and the environment of object 
may change in a way that cannot be foreseen in advance. Consequently, dynamic 
specification changes are needed to overcome the problem that generally not 
all possible future behaviors of an object can be anticipated in the original 
system specification. In order to support the aspect of object and object system 
evolution, respectively, in an adequate way, we need an extended, logic-based 
framework where object class descriptions may be modified during system run- 
time. 

Recently, the concept of agent, which can be seen as a further evolution 
of the concept of object (cf. [Sho93,GK94,WJ95]), is proposed as an adequate 
means for modeling information systems. Basically, an agent may be seen as 
an intelligent and evolutionary object which is equipped with knowledge and 
reasoning capabilities and is able to deal with dynamic aspects, e.g. to change 
its state as well as its behavior dynamically. 

Like objects, agents have an internal state which is based on their history and 
influence their behavior. Whereas the internal state of objects is determined by 
the values of their attributes, agents have a more general notion of internal state: 
beside (conventional) attribute values it may contain disjunctive information, 
partial knowledge, default assumptions, etc. 

Essentially, the internal state of an agent reflects the knowledge (belief, in- 
tention, obligations, goals, etc.) of that agent at a given time. In contrast to 
traditional object concepts, this knowledge is not fixed at specification time, but 
it is changeable during the lifetime of an agent. In conclusion, we can state that 
the internal state of an agent contains strict knowledge (which is fixed at creation 
time and may not be revised) as well as some changeable knowledge (which may 
be revised or replaced under given constraints during the agent evolution). 
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Agents have goals which they try to achieve (by cooperation) under given 
constraints. Each agent is obliged to satisfy its goals. Since goals are part of 
the internal state of agents, they may be changed during an agent’s lifetime, 
too. They can be extended, revised or replaced through other (more important) 
goals. In contrast, goals to be satisfied by traditional objects are fixed at speci- 
fication time, and may serve as formal requirements for implementing behavior. 
Therefore they have to be logically consistent. 

On the other hand, the agent’s goals may also be conflicting. Hence, agents 
must be able to resolve conflict situations in which not all goals may be achieved. 
In such cases, agents must be able either to revise some of their goals or to decide 
to satisfy only a few of their goals which are not conflicting. 

Agents are able to (re) act and communicate by executing sequences of ac- 
tions. Thus, agents show an external behavior that obeys the given constraints. 
In contrast to traditional objects, agents exhibit reactive behavior as well as goal- 
driven (or pro-active) behavior. Because agents are assumed to be autonomous, 
they are able to act without direct (user) intervention. 

In most cases agents have to cooperate to achieve their goals. Because of 
the fact that agents may change their behavior and/or may even change their 
signature, there must exist varying communication structures. For cooperation 
reasons agents require knowledge about other agents, i.e. their capabilities and 
goals, respectively. However, agents have in general not the same and complete 
knowledge about other agents. In such cases, agents have to deal with partial or 
incomplete knowledge. 

Considering all these properties agents can have, it becomes clear that the 
current object specification technology as sketched in the beginning of this sec- 
tion cannot fulfill all these requirements. This is due to the fact that several 
concepts are not given in current object-oriented approaches. Nevertheless, the 
existing object specification approaches can be used as a stable basis for exten- 
sions which try to get a grasp of those agent-specific properties. 

By carefully extending the underlying semantic models and logics it should 
be possible to come closer and closer to the idea of “agents” as sketched before. 
A detailed discussion on the differences between traditional object concepts and 
the presented concept of agent can be found in [SCT95,TCS96]. 

In the following section, we propose a first agent specification language in 
which some of the agent-specific concepts are respected. This language is an ex- 
tension of an existing object-oriented specification language. Instead of inventing 
a completely new specification language the extension of an existing and well- 
understood specification language offers us the possibility to experiment on a 
stable and well-understood basis. 



3 Towards an Agent-Oriented Specification Language 

In this section, we sketch the basic frame of an agent-oriented specification lan- 
guage by giving example specifications. We point out that in this first approach 
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only a few, but very important agent-specific concepts like dynamic behavior are 
respected. 

Our starting point is the idea of ^^considering states as theories” (a similar ap- 
proach was taken in [Rei84]). In comparison to usual object-oriented approaches 
where the state of an object is described by a simple value map assigning each 
attribute a corresponding value, the “states as theories” approach is much more 
powerful by assuming that a state is described by a set of formulas. Depending 
on the underlying logic that we apply for formulating such formulas, we can 
then express different kinds of knowledge, for example knowledge about the fu- 
ture behavior of an agent as part of its own state as well as knowledge about 
the states of other agents. 

In this way, simple state changes can become changes of theories by which 
we can even express the change of knowledge or goals of an agent. Thereby, 
knowledge revision as well as dynamic knowledge acquisition can be specified. 
Furthermore, partial knowledge is possible and default knowledge could be in- 
tegrated. 

We propose a two-level specification framework for modeling of information 
systems in terms of agents. The first level contains usual attributes and events, 
which describe the fixed behavior of an agent. In the second level, the possible 
evolution of the agent specification is specified. 

In Figure 2 the structure of a possible specification of an agent class Account 
is sketched. The specification language used here can be considered as an ex- 
tension of the object-oriented language Troll sketched in Section 2. Similar 
to objects, agents have attributes (e.g. Balance) and events (e.g. Withdraw). 
The part of the behavior specification which must not be changed is specified in 
the rigid axioms section. In our example the effect of the events Withdraw and 
Deposit on the attribute Balance is fixed. 

In addition to the concepts used for objects, an agent have 
axiom attributes which contain sets of axioms which are valid under certain 
circumstances. In our example we have the axiom attribute Axioms which is ini- 
tialized by the empty set of axioms. In case we specify several axiom attributes 
we have to explicitly mark one of them as the current axiom set. Each formula 
which is included in the value of this special axiom attribute at a certain state 
must be fulfilled in that state. 

Similar to basic attributes, axiom attributes are changed by mutators which 
can be seen as special events. The effect of mutators is described in the 
dynamic specification section. Here, we allow the manipulation of the axiom 
attribute Axioms. We may add further axioms to Axioms, remove existing ax- 
ioms from Axioms and reset Axioms to the initial state. 



Specification of Dynamic Behavior 

As already mentioned, one main difference between agents and traditional ob- 
jects is that agents may change their behavior dynamically during their lifetime. 
There are several different ways how dynamic behavior can be specified: 
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agent class Account 

identification ByAccountID: (Bank, No) ; 
attributes No: nat constant; 

Bank : I Bank I ; 

Holder: I Customer I; 

Balance: money initialized 0.00; 

Limit: money initialized 0.00; 

Counter: nat initialized 0; 

events Open (BID: I Bank I , AccNo:nat, AccHolder : I Customer I ) birth; 

Withdrawal (W: money) ; 

Deposit (D:money) ; 

IncreaseCounter ; 

Close death; 

Warning (S : string) ; 

rigid axioms Open (BID : IBank I , AccNo:nat, AccHolder : I Customer I ) 





changing 


Bank := BID, 

No := AccNo, 

Holder := AccHolder; 




calling 


ResetAxioms ; 


Withdraw (W) 


enabled 


Balance - Limit >= W 




changing 


Balance := Balance - 




calling 


IncreaseCounter ; 


Deposit (D) 


changing 


Balance := Balance + 




calling 


IncreaseCounter ; 



IncreaseCounter changing Counter := Counter + 1; 
axiom attributes Axioms initialized {}; 

mutators Reset Axioms; 

AddAxioms (P :Formula) ; 

RemoveAxioms(P :Formula) ; 

dynamic specification Reset Axioms changing Axioms := {}; 

AddAxioms (P) changing Axioms := Axioms U P; 

RemoveAxioms(P) changing Axioms := Axioms - P; 
end agent class Account; 

Fig. 2. Specification of an agent class Account 

1. Using only one dynamically changeable axiom attribute: 

This case is presented in the example in Figure 2. Here, the axiom attribute 
must be modifiable during the lifetime of an agent in order to be able to 
represent changing dynamic behavior of that agent. In our example the 
axiom attribute Axioms can be manipulated by the mutators AddAxioms, 
RemoveAxioms and ResetAxioms. Whereas AddAxioms and RemoveAxioms 
adds further axioms to and removes existing axioms from Axioms, respec- 
tively, ResetAxioms resets Axioms to the initial state. Possible values for the 
parameter P of the mutator AddAxioms could be the following ones: 

{ Withdraw (W) 

calling { W > 400.00 } Warning ("Withdrawal limit exceeded!"); } 
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{ Withdraw (W) 

enabled (W >= 0.00) and (Balance - W >= Limit); } 

{ Withdraw (W) 

calling { not(occurs(Clock .NextDay) ) 

since last occurs (Withdraw (W)) } 

WarningC'Two withdrawals within one day!"); } 

{ Close 

enabled Balance = 0.00; } 

The values above are sets of axioms written in the syntax of our specifica- 
tion language. The first value contains an axiom which requires to trigger a 
warning if the amount of a withdrawal is larger than 400. In the next value 
there is an additional restriction saying that a Withdraw event may only oc- 
cur with an amount smaller than the current value of the attribute Balance 
minus the current value of the attribute Limit. Thereby, overdrawing of an 
account is ruled out. 

The third value ensures that a warning is triggered if two withdrawals occur 
within one day (in this formula we refer to a Clock assuming that it is spec- 
ified elsewhere as a part of the same system) . The last listed value contains 
a formula which specifies that an account may only be closed if there is no 
money on this account. 

2. Using a set of predefined, unchangeable axiom attributes: 

Here, a set of axiom attributes, which contain predefined sets of axioms and 
which cannot be modified during the lifetime of an agent, can be defined 
to model dynamically changing behavior of an agent. One of these axiom 
attributes must be declared as the current valid set of axioms which deter- 
mines the current behavior of the agent. By switching between the axiom 
attributes the behavior of the agent can be changed dynamically. 

axiom attributes 

Axioms (N :nat) initialized 
N=0: {} default, 

N=l: { Withdraw (W) 

calling { W > Balance } 

Warning ("Account has been overdrawn")) }, 

N=2: { Withdraw (W) 

calling { not (occurs(Clock .NextDay) ) 

since last occurs (Withdraw (W) ) } 

WarningC'Two withdrawals within one day!"); } 

mutators 

Reset Axioms ; 

SwitchAxioms (N:nat) ; 

dynamic specification 

Reset Axioms changing Axioms (0) := {}; 

SwitchAxioms (N) changing Axioms (0) := Axioms (N); 
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In the example above we define a parameterized attribute Axioms (for de- 
tails see [HSJ+Qd]) which contains different sets of axioms. Here, we declare 
implicitly the attribute term Axioms (0) to be the set with the current valid 
axioms. By using the mutator SwitchAxioms we are able to change the 
agent’s behavior dynamically. 

Please notice that this approach restricts the behavior evolution of an agent 
to various predefined behavior pattern. This is due to the fact that the axioms 
sets can not be modified during the lifetime of an agent. Furthermore, note 
that in the rigid axioms part the common behavior of all possible behaviors 
are specified. 

3. Using several dynamically changeable axiom attributes: 

Here, the ideas of the other cases are combined. We allow to specify several 
axiom attributes which may be modified during the lifetime of an agent. 
As in the second case, these attributes may be predefined and one of these 
attributes is marked as the currently valid one. In the following example we 
have specified two mutators AddAxioms and RemoveAxioms (in addition to 
the mutator of the example above) for adding a set of axioms to and for 
removing a set of axioms from a given axiom attribute, respectively. 

mutators 



AddAxioms (N :nat , P : setOf Axioms) ; 
RemoveAxioms (N :nat , P : setOf Axioms) ; 

dynamic specification 



AddAxioms (N, P) changing Axioms (N) := Axioms (N) U P; 

RemoveAxioms (N, P) changing Axioms (N) := Axioms (N) - P; 

We emphasize that it might be useful to combine changing as well as prede- 
fined, unchangeable axiom attributes. In such cases we have to specify for each 
changeable axiom attribute own mutators. Further, please note that mutator 
events may be equipped with enabling conditions as usual events in order to 
prevent arbitrary manipulations. Moreover, mutator events may also cause the 
occurrence of other basic as well as mutator events. This fact can be expressed 
by using the well-known event calling mechanism. 

However, for the agent specification approach presented so far we need a 
logical framework, a logic of agents, in which several non-standard logics (e.g. 
logic of knowledge, default logic, deontic logic [Mey92,Rya93,Rya94,JS93]), can 
be integrated. First results already show that the composition of different logics 
can really work [FM91]. In [SSS95,CRSS98] first steps towards the specification 
of dynamically changeable behavior in an object-oriented setting are presented 
and discussed. The following section gives a first formalization of dynamically 
changing behavior based on an extended temporal logic [CS97] . 
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4 Evolving Temporal Logic 

In this section we present the basic ideas for formalizing an extension of temporal 
logic we need for capturing the properties sketched in the previous section. We 
will call this extension Evolving Temporal Logic (ETL). Afterwards, we show 
how the example given in the previous section is formulated in ETL. 

4.1 Basic Ideas for Formalization 

Temporal Logic. The starting point is a first-order, discrete, future-directed lin- 
ear temporal logic for objects which can be considered as a slightly modified 
version of the Object Specification Logic (OSL) which is presented in full detail 
in [SSC95]. In [Jun93] a comprehensive translation of Troll object specifica- 
tions into OSL is given. The following basic types of elementary propositions are 
used in the logic: 

1. o.Attr = V expresses that the attribute Attr of an object o has the value 
V (we have adopted this form from the specification language used for our 
example; instead we could also take a predicate expression like Attr(o, u)). 

2. o.Ve stands for the occurrence of event e in object o. 

With these elementary propositions we may build formulas in the usual way: for 
this we may use for instance the boolean operators ^ (negation) and A (conjunc- 
tion) as well as all operators which can be defined by these ones. Furthermore, 
we have the future-directed temporal operators O (next), □ (always in the fu- 
ture), and O (sometime in the future; defined as O/ = ^D^/). By introducing 
variables and quantifiers we obtain a first-order variant of linear temporal logic: 
provided a; is a variable and / a formula, then Wx : f and 3x : f are formulas. 

The semantics of temporal logic formulas is defined w.r.t. life cycles which 
are infinite sequences of states: A = (sq, si, S2, . . .). We define A* as the life cycle 
which is obtained by removing the first i states from A, i.e. A* = (sj, Si+i, Si+ 2 , . . .). 
Each state in a life cycle is assumed to be equipped with a mapping assigning 
a truth value to each elementary proposition. Based on that we can define the 
semantics of composed formulas in the usual way. For instance, the semantics of 
temporal operators is defined as follows (A ^ means that f is satisfied in A): 

A t □/ if for all z > 0: A* ^ /. 

A h O/ if Ai h /• 

For brevity we omit the treatment of variables. This can be done in the usual 
straightforward way. All variables which are not explicitly bound by a quantifier 
are assumed to be universally quantified. Fully-fledged definitions of syntax and 
semantics of first-order order-sorted temporal logics for object specification can 
be found for instance in [SSC95] or [Con96]. 

Example. Here, we only present some temporal logic formulas representing 
properties of the objects described in Fig. 1. We start with the effect an event 
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occurrence has on attributes. For instance the effect of Open events for account 
objects is represented by the following temporal logic formula: 

□( a.VOpen(i?, N, H) 0(a.Bank = B A a. No = N A a. Holder = H) ) 

Due to the fact that Open is a birth event it may only occur once in the life of 
an object. This property being inherent to the object model of the specification 
language Troll can be expressed by: 

□( a.VOpen(H, N, H) On N' , H' : a.VOpen(H', N' , H') ) ) 

Event calling as it may be specified for Transfer events in bank objects could 
be expressed by temporal logic formulas as follows (where b refers to a bank 
object): 

□( 6.VTransfer(Hi, H 2 , M) ^ ( Account(Hi).VWithdrawal(M)A 

Account(H 2 ).VDeposit(M) ) ) 

Evolving temporal Logic (ETL). Based on the linear temporal logic described 
before we have to find an extension for the treatment of the special attribute 
having sets of first-order formulas as values. In order to represent this special 
property we introduce a corresponding predicate V into our logic. This predicate 
is used to express the current validity of the dynamic behavior axioms. For 
simplicity, we restrict our consideration to one special predicate over first-order 
temporal formulas.^ 

This predicate is used to express the state-dependent validity of first-order 
formulas: V(^) holds in a state (at an instant of time) means that the specifica- 
tion ip is valid w.r.t. that state. 

In a more formal way we can express this as follows: if V(^) holds for a 
(linear) life cycle A (i.e., A \= V{tp)) then ip holds for A as well: 

A \= V(^) implies X \= p 

In order to avoid severe problems especially caused by substitution we assume V 
to work only on syntactic representations of first-order temporal formulas instead 
of the formulas themselves. Here, we use the notation p to distinguish such a 
syntactic representation from the formula p. For a correct formal treatment we 
have to define an abstract data type Formula for first-order temporal formulas 
as possible parameter values for V. In addition a function translating values of 
this abstract data type into corresponding formulas is needed. 

W.r.t. the refiection of V(^) on the first-order level, we may establish the 
following axiom for ETL: 

V(^) ^ p 

^ For dealing with several objects having different sets of currently valid behavior 
axioms, we could extend this view to several predicates or to introduce an additional 
parameter to the predicate for referring to different objects. In the same way, we can 
deal with the case that one object has several of these attributes. 
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By means of the predicate V we simulate the finite set of behavior axioms which 
are currently valid. Thus V(^) can be read as is in the set of currently valid 
behavior axioms”. Due to V(^) ^ ip, it is sufficient that V holds only for a 
finite set of specification axioms because the theory induced by these axioms is 
generated on the first-order level in the usual way. 

Please note that V(^) can be considered as an elementary proposition in 
ETL. Therefore, we may assume that for each state Si in a life cycle A there 
is a truth assigning function denoting the validity of V(^) for each first-order 
formula ip. 

^From the definition given before and from the usual properties of the tem- 
poral operators we can now immediately conclude: 

A 1= V{np) implies Vz > 0 : A* |= 

A ^ V(^p) implies 3z > 0 : A* ^ 

This is due to A ^ implies A \= Hp and A ^ Hp is defined by Vz > 0 : 

X' \= p (and analogously for <>p). This special property is depicted in Fig. 3: 
Assume V{np) holds in state st in a life cycle A. Then p holds in all the states 
Si, Si+i, Si+ 2 , ... — independent of whether V{np) is true in Sj+i, Si+ 2 , . . . There- 
fore, it should be clearly noted that there is a big difference between V(D:/3) and 
V(^). Once has become true, p remains true forever. In contrast, if V(^) 

becomes true, p needs only to remain true as long as V{p) does. 



yi-l 



yi •. yi+l 



yi+2 




Fig. 3. Interpreting Evolving Temporal Logic. 



For the events manipulating the special attribute Axioms (in the specification 
called mutators) we need counterparts in the logic. For a general manipulation of 
the predicate V we introduce two special events axiomX(p) and axiom~ {p) for 
adding an axiom to V and for removing an axiom from V, respectively. From the 
logical point of view these two events are sufficient for representing all possible 
ways of manipulating the attribute Axioms. As introduced before we use the 
notation VaxiomX{p) for denoting the occurrence event axiomX (analogously 
for axiomr). For occurrences of these events the following axioms are given: 

\7axiom'^{i^ OV{p) 

Vaxiom~{(^ O^V{p) 
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Vaxiom'^{(p) (or Vaxiom~{(p)) leads to V(^) resp.) in the subsequent 

state. Frame rules are assumed restricting the evolution of V to changes which 
are caused by occurrences of the events axiorri^ and axiom~: 

^V(^) A OV(^) ^ V axiorn^ {ip) 

V{p) A O-iV(^) — > V axiomT {ip) 

Before we show how to formulate some properties specified in Fig. 2 we want to 
briefly discuss the understanding of negation w.r.t. the predicate V. The question 
to answer is whether V(^p) is different from ^V(^). The answer is quite simple: 
From A \= V(^) it follows that A \= ^ip. In contrast we cannot derive the same 
from ^V(^). Therefore, V(^) and ^V(^) have to be distinguished. This is of 
course not surprising because it corresponds to our intuition about the predicate 
V. 

Another important issue we do not discuss in full detail is a proof system for 
ETL. In fact, we think of taking a proof system for first-order linear temporal 
logic (like OSL [SSC95]) and extending it a little bit in order to get a grasp of 
the predicate V. 



4.2 Expressing the Example Using ETL 

In the example given in Fig. 2 several properties are specified for the special 
attribute Axioms. Here, we formulate some of them as ETL formulas where the 
attribute Axioms is represented by the special predicate V. Due to the fact that 
we have to distinguish between different agents we prefix each occurrence of V in 
a formula by a variable (or an agent name) referring to the agent concerned. This 
corresponds to the way we have prefixed predicates denoting an event occurrence 
for an agent before. 

In all formulas given below there is an implicit universal quantification over 
all variables (including ip) . Please recall that we assume ^ to be a variable over 
an abstract data type Formula. 

The way we express the initial value property for Axioms, i.e., that directly 
after the occurrence of the birth event Open there is no formula ip for which V(^) 
holds is a little bit tricky: 

□( Oa.V{ip) ^a.VOpen{B, N, H) ) 

The effect the so-called mutator event AddAxioms has on the value of Axioms 
can be described by simply reducing the occurrence of AddAxioms to occurrences 
of the special pre-deflned event axiorri^: 

□( a.VaddAxioms(<?) A ip G ^ a.S/ axiom'^ (ip) ) 

For the mutator event ResetAxioms we choose a similar way of expressing its 
effect: 

□( a.VResetAxioms A a.V(^) — > a.V axiom~ (i^ ) 
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Considering the property of axiorn^ described before we can immediately con- 
clude: 

□( a.VResetAxioms A a.V(^) ^ O^a.V(^) ) 

Finally, the effect of the mutator event RemoveAxioms can be described by: 

□( a.VRemoveAxioms(^) A ^ S ^ > a.\7 axiom~ {^p) ) 

Obviously, it is possible to express a nearly arbitrary manipulation of the behav- 
ior specification. From a pragmatic point of view this is not a desirable property. 
Therefore, we think of restricting the possibilities by means of the specification 
language. The specification language should only allow those ways of manipulat- 
ing the dynamic behavior specification which can be captured by the logic in a 
reasonable way. Furthermore, we have to make sure that only certain users (rep- 
resented by special objects or agents) are allowed to change the dynamic part of 
the specification. For that, additional mechanisms are needed in the specification 
framework. 

5 Conclusions 

In this paper we have motivated the necessity of evolving specifications in the 
area of information systems. As a rather straightforward step to modeling in- 
formation systems dynamics, we presented a first approach of an agent-oriented 
specification framework. For that, we sketched the concept of an agent as a fur- 
ther evolution of the traditional concept of object. Here, we showed that the 
concept of agent overcomes the limitations of current object models to describe 
object behavior evolution. This is due to the fact that the agent paradigm allows 
agents to have changing goals, behavior, constraints, etc. 

Our presented approach bases on the idea of “states as theories” as described, 
for instance, in [SSS95]. We proposed a two-level specification framework. The 
first level contains basic axioms describing usual events and their fixed effects on 
the specified attributes. In the second level we allow to specify (meta) axioms 
which describe the possible evolution of the agent specification. Thereby, we are 
able to consider dynamically changing behavior of agents and agent systems. 
Furthermore, we sketched an extension of linear temporal logic (called ETL, 
Evolving Temporal Logic) which allows us to express dynamically changing be- 
havior within the logic. Thereby, it becomes possible to reason about changes of 
behavior. In [CRSS98] the same idea of separating two levels of specification is 
applied as extension to OSL [SSC95] . 

We do not want to conceal that there are several properties of agents of 
which we do not exactly know at the moment how to integrate them into the 
framework we proposed, for example planning and conflict resolving facilities of 
agents, and autonomy issues (e.g. which request must be fulfilled by an agent). 

A nice application area for agent-oriented specification is the area of federated 
database or information systems. In a federation the component systems are 
allowed to operate in an autonomous way (at least, up to a certain degree). Most 
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of the concepts which distinguish agent-oriented specification from traditional 
object-oriented specification can be applied in a natural way in such a scenario. 
In [TSC97b,TSC97a] we present first examples and discuss basic principles for 
applying an agent-oriented approach to specifying federated systems. 

Besides, we have to investigate how far we can allow dynamic signature mod- 
ification. In order to model evolutionary behavior adequately, it seems to be 
necessary to allow the dynamic specification of additional events. If we allow 
arbitrary formulas as parameters for the mutators, it is easy to add new events 
into the specification during the lifetime of an agent. When defining such events 
we also may need the specification of additional mutators which describe the 
evolution of these events. 

On the other hand, if we do not allow arbitrary formulas as parameters, only 
the behavior of existing events may be changed and thus we have a restricted 
evolution of agents. Furthermore, we have to check if we need additionally at- 
tributes which may be integrated into the specification during the lifetime of an 
agent. 

In conclusion, we can state that although there are many open questions, 
it is obvious that the concept of agent can be useful especially for modeling 
information systems consisting of components which are partially autonomous. 
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Abstract. The possibility of Cooperation is still a matter of debate in the field of 
GT. Generally speaking, the emergence of cooperation is seen in the prospect of 
re-encounter as a forward-looking, calculated, and self-interested decision to 
cooperate. In this paper, it is argued that neither one-shot nor repeated versions of 
PD-game can account for a theory of cooperation as distinct from other forms of 
social action, and particularly bargaining it. It is also argued that in order to 
provide a theory of cooperation it is necessary to ground social interdependence 
on a general theory of action and planning. More precisely, two theses are 
presented and discussed: (i) When the PD-game stmcture is applied to ideal-type 
situations, one or other of its formal property does not hold, (ii) A plan-based 
model of social dependence is necessary for disentangling cooperation from other 
types of social action, especially bargaining: while PD-game applies to the latter, 
it does not apply to the former! Even in its repeated version, PD-game cannot 
account for cooperation as distinct from honest bargaining. 



1 Introduction 

The impossibility of cooperation in the one-shot Prisoners' Dilemma (PD) game is 
largely acknowledged. Indeed, some authors (Howard, 1971; Gauthier, 1986; 1993) 
have attempted to enable PD-game to account for one-shot cooperation; but others 
(Binmore, 1994) claim such an attempt to be irrational. 

In short, the possibility of cooperation is still a matter of debate in the field of GT. 
Generally speaking, the emergence of cooperation is seen in the prospect of re- 
encounter. To use the words of Axelrod (1997: 12), game-theoretical models explain 
cooperation in the shadow of the future, as a forward-looking, calculated, and self- 
interested (although an "enlightened" self-interest, as is precised by Binmore, 1994) 
decision to cooperate (see also Macy, 1998). If one-shot PD-game leaves no room for 
cooperation, repeated versions of the same game do (see Axelrod 1984). 

In this paper we will endeavour to show that neither one-shot nor repeated 
versions of the PD-game can account for a theory of cooperation as distinct from 
other forms of social action, and particularly bargaining. We will argue that in order 
to provide a theory of cooperation it is necessary to ground social interdependence on 
a general theory of action and planning as provided within the cognitive science and 
AI framework (for the most classical version of a theory of planned action, see Miller 



J.-J. Ch. Meyer, P.-Y. Schobbens (Eds.): Formal Methods of Agents, LNAI 1760, pp. 74-89, 1999. 
© Springer-Verlag Berlin Heidelberg 1999 




The Impossibility of Modelling Cooperation in PD-Game 



75 



et al., 1960). More precisely, this paper will present a discussion of the following 
theses: 

(a) although PD-game has been said to be applicable to several social phenomena 
and in different domains (Axelrod, 1990), the limits of application are yet unclear, to 
which ideal-type social conditions does the PD-game applies? In this paper we will 
show that a /t/an-based model of social dependence (Castelfranchi et al., 1992) allows 
to deduce applicability of the PD-game; in other words, instead of testing game- 
theoretical models against empirical evidence, we suggest a lower-level theoretical 
approach for checking the applicability of the Prisoner's Dilemma, and predicting the 
emergence of either defection or cooperation; 

(b) a plan-based model of dependence is also necessary for disentangling 
cooperation from other types of social action, especially bargaining: while PD-game 
applies to the latter, it does never apply to the former! Even in its repeated version, 
PD-game cannot account for cooperation as distinct from honest bargaining. 

The paper is organised as follows: 

- in the following section, after a brief summary of the PD-game properties, a plan- 
based model of interdependence, defined in terms of goals and actions, will be shortly 
presented. Some ideal-type social situations will be thereby distinguished, in 
particular cooperation and bargaining. One-shot cooperation will be shown to be 
feasible, although unaccountable in terms of a PD-game. A repeated version of the 
game is therefore proved to be unnecessary to account for cooperation. 

- In the third section, the repeated version of the PD-game will shown to be also 
insufficient. In order to model cooperation, it is no use to extend the temporal 
perspective of the PD-game. This solution is inadequate because again it fails to 
distinguish cooperation from reciprocity. 

- Finally, in the fourth section, we will summarise the advantages of a notion of 
cooperation as distinct from bargaining. 



2 A Plan-Based View of Social Dependence and the Applicability 
of PD-Game 

In Al, cognitive science, and even in the common intuition, actions are (tentative) 
solutions to existing problems, or, means for achieving goals, applicable under given 
conditions. The structure of action cannot be essentially incorporated into the PD- 
game structure, because such a structure does not allow for goals, conditions, and 
problems, but only for payoffs (which are explicitly considered as primitive in game- 
theoretical models, see Binmore 1994), to be represented. While building its 
theoretical foundations on a game-theoretic grounds, social scientists actually 
dispense with at least one the major contributions that Al and cognitive science have 
given to the scientific community: a theory of action and planning. We will resort to 
such a contribution to give grounds and reasons to the interdependent payoffs 
displayed in a game-theoretical matrix. 
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2.1 PD-Game Properties 

The PD-game is a fundamental game applied in several fields for several purposes 
(Axelrod 1990). One of its major applications is the study of human cooperation (see, 
for example, G. Hardin, 1968; R. Hardin, 1982; Margolis, 1982; Olson, 1965; Taylor, 
1987; Axelrod, 1984). The idea underneath was that if we are not able to get people to 
cooperate in a simple situation like that depicted by the PD game, we can forget about 
deriving rational cooperation at all. 

Here, we will clarify what is usally meant by a game, and in particular by a PD- 
game. 

A game is a situation of interdependence between the payoffs of two or more 
agents' (usually called, players) moves. Given a set of moves and a set of players 
(e.g., mi and mj, and two players), and their possible combinations (in our case, (mj, 
mj), (mi,mi), (mj, mj), (mj, mj)), a game is a situation in which, (a) the players' actual 
moves instantiate one combination, (b) the payoffs that each player obtains are 
interdependent: the player performing mj will obtain a different payoff according to 
whether the opposer plays mj or mj. A PD-game is a game in which agents choose 
among two possible moves (C and D, which stand for cooperate and defect; however, 
it should be noted that the "cooperative" or "non-cooperative" character of the moves 
is illusory', and lies only in the specific structural properties of the game, which will 
be expressedbelow. 

The PD-game moves give rise to four possible combinations (DC, CC, DD, CD), 
with the relative payoffs. Let us present the payoff matrix of the PD using, for 
purpose of clarity, the Maynard-Smith's (1982) moves of dove and hawk, where dove 
stands for the cooperative move (keep silent) and hawk stands for the non-cooperative 
move (confess): 



dove 

hawk 



dove hawk 



y 

y 


X 

O 


O 

X 


z 

z 



dove hawk dove hawk 



2 
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3 
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0 

3 


1 

1 



3 

3 


6 

0 


0 

6 


1 

1 



Fig. 1 : Prisoners' Dilemmas (drawn from Binmore, 1994: 103) 
where x > y > z > 0. For brevity, we use Axelrod's symbols: 



(a) 1, 2 = players 

(b) dove, hawk = possible actions 



1 

The structure of PD-game more is usually applied to a fictitious and rather cumbersome 
example, of which many variants circulate. The originary draft (as reported by Binmore, 
1994, is as follows: the questor of Chicago is on the tracks of two well-known delinquents, 
but he has no sufficient elements to arrest them. Consequently, he constmcts a plan: he tells 
them that if they both will deliver information on each other (non-cooperative move), they 
will obtain a discount on the sentence (D,D). If, alternatively, they both keep silent, they will 
be sentenced to a mild penalty (in absence of elements for a serious virdict). But if one 
delivers information on the other while the latter keeps silent (D,C), ther latter will be 
emprisoned, while the former will be set free. 
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(c) R (reward) = (dove, dove) payoff 

(d) T (temptation) = (hawk, dove) payoff 

(d) S (sucker) = (dove,hawk) payoff 

to which we add 

(e) B (boomerang) = (hawk, hawk) payoff 

A number of properties apply to this structure. These explicit properties of the 
structure of the Prisoner's Dilemma, which allow to set the payoffs to given values, 
are as follows: 

(a) Preference order, payoffs are such that T > R > B > S; this in substance means 
that a PD-game structure is such that temptation to cheat is always possible and that 
hawk is a dominant strategy (Eichberger, 1993), since it is one's best move whatever 
the opponent decides to do (in fact, T > R, and B > S); it is actually a strongly 
dominating strategy (Binmore, 1994), because hawk is always the best choice, not 
only one that which provides the highest payoff in a subset of the extended form of 
the game (this latter would be a weakly dominating strategy). In short, a PD-game is 
one in which cheat is always convenient. 

T+S 

(b) Pareto-inefficiency assumption: payoffs are such that R > ^ . The outcome 

of the PD-game is Pareto-inefficient, since the average outcome of cooperation (R) is 

T+S 

higher than the average result of non cooperating ^ . 

(c) The actions remain the same, but their payoffs vary interdependently. Actions 
must produce benefits with different payoffs, but variability depends exclusively on 
the players' interdependence. 

But there are also some implicit assumptions, namely: 

(d) actions are executed to achieve goals, to obtain benefits, which have payoffs 

(e) actions imply costs, 

(f) payoffs should be greater than costs. 



2.2 Main Theses 

As game-theorists are well-aware of (see, for example Binmore 1994: 102), the 
assignment of payoffs is arbitrary: payoffs are not derived from a theory of action. 
They are inputs to decision, rather than results of a model of action. As a 
consequence, the matrix does not derive from a model of cooperative action. Indeed, 
it itself is, or claims to be, one such model, that is to say, a mathematical 
representation of social interdependence. 

We claim that just because of this, PD game is inapplicable to cooperation. If one 
tries to apply it to real-life situations, one of the following consequences occurs. 
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- the preference order is modified in such a way that hawk is no more a dominating 
strategy (it is not always preferable), and/or 

T+S 

- R = ^ , meaning that the Pareto-inefficiency assumption does not hold. This 

in substance means that there is no incentive to cooperate, and/or 

- agents do not achieve a common goal, but individually different goals. 

To see this, we will try to apply the PD-game to a number of paradigmatic social 
situations. But beforehand, we will present a plan-based model of social dependence 
(Castelfranchi et ah, 1992) which will help us identify ideal-type cases cooperation 
situations. 



2.3 Interdependence in Action 

Let us distinguish two types of dependence. 

Mutual dependence. This occurs when two or more agents <x}, X2, ■■■, x„> have a 
shared goal and depend on each other to achieve it. Two or more agents are said 
(Conte et al., 1991) to have a shared goal when they have the same world state p as a 
goal <(GOAL X] p) & (GOAL X 2 p) & ... & (GOAL Xfj p)>, and p does not mention 
the goal holder as a beneficiary of one's own goal (e.g., "Have the left coalition party 
win the elections", or "Have the cake cooked", etc.). More formally (for a complete 
formal definition of this notion in terms of a first-order language, see Castelfranchi et 
ah, 1992), two agents x and y depend upon each other tow achieve a shared goal gi, 
when for any plan pi <ai, a2,..., an> belonging to the set of plans Pi which is 
believed to achieve gi, there are at least, 

- one action a/ not belonging to the set of actions Ax that x is competent upon; 

- and one action aj -with ai always aj- not belonging to the set of actions Ay 
that y is competent upon. 

Reciprocal dependence . This occurs when two agents x and y depend upon each 
other to achieve two (or more) different goals. More formally (see again Castelfranchi 
et al., 1992), x and y are in reciprocal dependence iff, for any two goals gx and gy - 
with gx always gy - such that gx is an instance of x's goal set Gx and gy is an 
instance of y's goal set it is the case that 

- for any plan pi belonging to the set of plans Px which is believed to achieve gx 
there is at least one action a/ not belonging the set of actions Ax that x is competent 
upon; 

- and for any plan pj belonging to Py which is believed to achieve py , there is at 
least one action aj -with a/ always ^ aj- not belonging to the set of actions Ay thaty 
is competent upon. 

Two rather different types of social action follows from the above definition: 
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- cooperation occurring when mutually dependent agents execute the plan pi to 
achieve their common goal gf, 

- exchange^, occurring when reciprocally dependent agents execute each a share of 
the other's plan to achieve their different goals. 

In what follows, it will be argued that PD-game applies to reciprocal dependence, 
and therefore depicts exchange; but it does not apply to mutual dependence and 
therefore does not represent cooperation. 



2.4 PD-Game and Mutual Dependence 

The agents goals vary along the following dimensions. 

(a) Cost-dependent Vs independent, either the benefit^ is a continuous variable 
depending on the cost of contribution (e.g., the control of pollution), or it is a none- 
or-all phenomenon (for example, a surgery); if the benefit is cost-dependent, the 
amount of benefit achieved if all contributors cooperate to it will be higher than 
would be the case if some contributors cheat. Viceversa, if the benefit is cost- 
independent, the amount of benefit produced is the same, whether someone is 
cheating or not. 

(b) Global Vs distributed', the common benefit may be enjoyed either jointly (to 
dethrone a tyrant) or distributedly (to split a booty) by contributors. 

To the goal dimensions, we will add an action dimension of variability: 

(c) iterated Vs complementary actions: the cooperative plan is either iterated 
(including several instances of one action, as in the case of jointly lifting a sofa) by, 
or distributed among, contributors (including several distinct types of action, like in a 
football team). Complementary actions imply that the benefit cannot be achieved if 
complementary actions are not carried out. 

These dimensions are not exhaustive but they allowed us to distinguish several 
prototypical situations. They seem particularly relevant in the context of the present 
argument because they specify the conditions for cheating: cheat can take place at at 
least two levels: 



^We speak here about exchange, rather than bargaining, since in the present context we are not 
distinguishing the exchange of actions from the exchange of resources. However, the notion 
of reciprocal dependence defined above includes dependence from each others' resources. In 
the latter case, we speak of bargaining. Throughout the rest of the paper, bargaining will be 
preferred over exchange because the notion of bargaining seems to fit better the PD-game 
context. 

3 

From now on, we will speak about benefit, rather than goals, in order to emphasize the 
quantitative aspect of goal-achievement, which is essential within a game-theoretical model. 
Quantity, by the way, is neither a primary nor a necessary specification of goals, which are 
symbolic representations. 
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(a) at the level of the goal: in which case the hawk move is "don"t share"; this 
obvioulsy implies that, when the benefit is global, cheat cannot occur at the level of 
the benefit; 

(b) at the level of the action: in which case, the hawk move is "don't contribute"; 
this implies that cheat cannot occur with complementary actions. 

In particular, the strongest mutual dependence holds with global benefit and 
complementary action, and the weakest in the opposite situations. While mutual 
dependence never leaves room to PD-game, it may allow for defection (although not 
as a dominant strategy). In particular, 

- mutual dependence does never allow for PD-game, and 

- strong dependence does not even allow for defection; but 

- weak mutual dependence allows for defection as a non-dominant strategy. 

Let us examine the situations which are drawn from the interplay between these 
dimensions. 

Cost-dependent global benefit with iterated actions . The benefit achievement is a 
continuous variable, but cannot be split and therefore enjoyed separately by 
contributors; furthermore the plan to achieve it is iterated by them. 

Let us consider as an example the control of pollution , (this is a typical example of 
a public good in the Olson's sense). This can be formulated in terms of a PD-game 
structure by instantiating action dove to 'reduce production of poison gas', and in turn 
action hawk to 'not reduce' such production. Obviously, the degree of pollution can 
vary on a continuous scale depending on the entity of reduction. Therefore, the joint 
benefit (b) is a continuous variable based upon cost of reduction (c). 

Thesis 1. 

Either the preference order (R > T> B > S) does not hold (and as a consequence, 
hawk is not always preferable), or the assumption of rational action does not hold. 

Proof 1. 

Premises 

(pi) On the grounds of the implicit assumption (iii) mentioned above, the joint 
benefit is supposed to be greater than the cost sustained to achieve it: b > c. 

(p2) A fortiori, the cooperative global reward is higher than costs, which are 
distributable; since for sinylicity we are assuming that the game is played by two 
agents only: R = (b - c/2) >0 

(p3) The benefit of temptation must be lower than the benefit of global 
cooperation (bp)c"^ < bcc) since the benefit is proportioned to costs. 

(p4) B= Osince no-one is contributing to the benefit. 

(p5) D = "don't contribute", since benefit is global. 

Consequences 



4 

This stands for the total benefit of the (D,C) combination. 
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(cl)By (p3), bcc>bDC- 
(c2) For (p5), T = (bDC - 0)- 
(c3) Two alternatives, 

If bDC ^ (bcc - c/2), 

then R > T; preference order: (R >T>B > B) 7 ^: (T>R>B>S) 

If bDC > (bcc - c/2), 

if (bDC - c/2) > O 

then S > B; preference order: (T>R>S > B) 7 ^: (T>R>B>S) 
if (bDC - c/2) < 0 

then c > b; thereby infringing the assumption of rational action. 
Therefore, either the preference order is different from that which is assumed by 
the PD-game structure or the assumption of rational action does not hold. 

Cost-independent global benefit with iterated actions . The benefit is none-or-all, 
independent on the entity of the costs sustained from contributors, and cannot be split 
among them, and is achieved by several instances of the same action. 

Typical examples are the parliamentary obstructionism, where deputies belonging 
to the same party or coalition take successively the word to prevent that a given law 
is voted. (Political) elections also belong to this category: people vote for a given 
candidate, who will be elected only if the votes received will exceed a certain 
threshold. If their candidate will be elected, supporters will enjoy a joint benefit. 

Suppose the common benefit is to have the labour party winning the elections. The 
cooperative action C is therefore 'vote' while the non-cooperative action D, by those 
expected supporters who went instead to the beach, is 'not vote'. 

We have two alternatives here: the agents will obtain their global benefit (the 
candidate will be elected) or they will not. For the purpose of our reasoning, the 
former alternative is all we need to consider. 

Thesis 2. 

The outcome of S is no-lower than the outcome of B, thereby infringing the 
preference order (R > T > B > S). As a consequence, hawk is not a dominating 
strategy (is not always preferable). 

Proof 2. 

Premises 

(pi) Since benefit is not distributable, the payoff of the (dove, dove) combination 
is equal to the benefit minus the cost of each contributor: R = b - c/2. 

(p 2 )b > c /2 for the assumption of rational action. 

(p3) Since benefit is independent of cost, there is no difference between the 
(dove,dove) benefit and the (hawk, dove) benefit bcc ^ bDC- 
(p4) D = don't contribute (don't vote). 

(p5) Since no benefit will be obtained if no-one votes, B is always < 0. 
Consequences 

We have two possible eonsequences, depending on whether (') or not (") the 
quorum is reached and the candidate is elected: 
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(cT) T > R, for the premises (pi) and 
(p3), 


(cl") T > R, for the premise (pi); 


(c2') R > 0, for premise (p2); 


(c2") R < 0, by definition (the candidate 
has not been elected but the cost of 
contribution has been sustained); 


(c3') S = R, for the premises (pi) and (p3), 
and therefore > 0; 


(c3") S = R, by premise (p3), and 
therefore < 0; 


(c4') therefore S > B, for the premise (p4); 


(c4") B < 0, by premise (p4), and 
therefore < S. But since, S = R, B < R. 


If candidate is elected, the preference order 
will be (T>R=S>B) (T >R > B > S). 


If candidate is not elected, the preference 
order will be (T>R=S=B) (T >R > B > 
S). 



In any case, the preference order infringes that which is assumed by the PD-game 
assumption. 

Cost-independent distributed benefit with complementary actions . The quantity of 
benefit does not depend on the contribution: it is a yes/no effect of (cooperative) 
action. However, it must be enjoyed distributedly, as opposed to jointly, by its 
contributors. A typical example is to split a booty^: suppose two thieves decide to rob 
a jewellery. One executes the actual robbery while the other does the car driving. We 
have a multi-agent plan (MAP) -rob the jewellery and drive the car- and an 
alternative between C and D: C is 'share' the booty; D equals to 'not share' the booty. 

Suppose the value of the booty is b and the cost of the whole MAP equals to c, 
where (b - c) > Oaccording to the assumption of rational action -e.(iii)-, the outcomes 
payoffs are as follows: 



5 

This may be considered by the reader to be equivalent to the Stag Hunt Game (inspired by 
Rousseau (1755/1913)), where the cooperative enterprise is to hunt a deer (cf. Binmore 
1994:121; several examples of this game are applied to the international relations literature 
(see, for example, Jervis, 1978). Unless the players play their part in the eneterprise, this is 
bound to fail. However, once the players have separated to execute each one's share of the 
plan, one or the other may be tempted to trap a hare, since this is an activity which requires 
no help by anyone. However, if both end up by trapping hares, they will hinder each other. 
The similarity between this situation and the one we are describing is only apparent because, 
unlike our example, in the Stag Hunt game, R > T, and it is not clear why a player should be 
induced to defeat: 
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Fig. 2: Stag Hunt Game 
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Thesis 3 

The outcome of S is no-lower than the outcome of B, thereby infringing the 
preference order (R > T > B > S). As a consequence, hawk is not a dominating 
strategy (is not always preferable). 

Proof 3 

Premises 

(pi) Benefit is distributed and cost-independent: R = b/2 - c/2 
(p2) (b/2 - c/2) > 0 (rational action) 

(p3) b is not obtained if anyone agent does not contribute (heterogenous actions): 
D = "don't share". 



Consequences 

(cl) by premise (pi and p3), T = b - c/2; cheat consists of not sharing the booty; 

(c2) by p3 and the definition of the game: if the hawk move is "don't share", the 
(hawk, hawk) combination equals to contribute (do action needed) and then snatch 
the booty from each other's hands: B = 0 - c/2; 

(c3) by pi and p3, S = 0 - c/2, and therefore S = B. The preference order is 
(T>R>S = B) ^ (T>R>B>S). 

Cost-independent distributed benefit with iterated actions . The benefit is a yes-or- 
no effect to be enjoyed separately, but the MAP includes several (in our example, 
two) instances of the same action, as when two predators run at each side of the prey. 
If any stops, the prey will run away, and no-one will achieve any share of the booty. 
This is equal to the previous case^. 

Cost-independent global benefit with complementary actions . The benefit of 
cooperation is a yes-or-no effect, to be enjoyed jointly but it is achieved by 
complementary actions. A typical example is teamwork, for example a car convoy: 
one does the driving of a car that both want to get to destination, while the other does 
the leading (the example is drawn from Cohen and Levesque 1991). Here, 
interestingly, the PD-game properties do not apply. In fact to cheat at the level of 
actions, which are both necessary to obtain the benefit, is impossible. But to cheat at 
the level of the goal is useless, since the benefit is not distributable! 

Thesis 4 

Preference order is different from that which defines the PD-game structure (the 
hawk move is not a dominating strategy). 

Proof 4 

Premises 

(pi) By definition, b is not distributable: R = (b - c/2). 



As in the previous case, the actions are both necessary to catch the prey. The argument follows 
therefore the same line as before. 
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(p2) By definition, actions are complementary. 

(p3) b > c. 

Consequences 

(cl) by pi, the hawk move (D) must be different from "don't share"; therefore, the 
hawk move is "don't contribute"; 

(c2) by pi, R = b - c/2 
(c3) by p2, B = 0 and T = 0 

(c4) the previous consequences and (p3), R > T = B; 

(c4) bypl,S = 0-c/2;B>S 

The preference order is (R>T=B>S) ^ T>R>B>S. 

Cost-dependent global benefit with complementary actions . Here, the benefit 
cannot be enjoyed separately, but it depends on the costs sustained by contributors. 
Actions are complementary. The example is an orchestra giving a concert: the 
elements of the orchestra are complementary, and the final result depends on the 
costs sustained by each of them. The more each contributes, the better the final result 
they will jointly enjoy. 

Thesis 5 

Either the preference order is different from that which defines the PD-game 
structure (hawk is not a dominating strategy), or the assumption of rational action 
does not hold. 

Proof 5 

Premises 

(pi) By definition, b is not distributable: R = b - c/2 

(p2) By definition, benefit is cost-dependent: the (hawk, dove) combination (DC) 
produces a global benefit lower than the (dove, dove) dombination (CC): bcc > t>DC 
(p3) By definition, actions are complementary: D = "don't contribute" and B = 0 
(p4) b > c. 

Consequences 

(cl) By (p3): T = bDC - O, and B = 0 
(c2) by (p2), bDC < bcCi 

(c3) Either boc - (bcC ■ c/2), in which case, by previous consequence, the 
preference order is R > T > B > S, or, if it is higher, it must also be the case that 
(hoc ■ c/2) > 0, otherwise b < c, which is ruled out py (p4; see Proof 1). But if (boc 
- c/2) > 0, S = bDC - c/2 > 0, and, S > B. 

Either the preference order is different from (T>R>B>S), or the assumption of 
rational action does not hold (b < c). 

Cost-dependent distributed benefit with iterated actions . Here, the benefit can be 
shared and its amount depends on contributors: agents can both cheat at the level of 
goal and at the level of contribution. The ideal-type example are the (seasonal) 
restrictions in resource exploitation: people refrain from harvesting or fishing for each 
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to obtain a better fish or harvest after some time. The more they respect the 
constraints, the more likely each will find resurces in the future. 

Thesis 6 

Either the Pareto-inefficiency assumption does not hold, or the preference order is 
different from the one assumed by the PD-game structure. 

Proof 6 

Premises 

(pi) By definition, b is distributable: R = b/2 - c/2. 

(p2) By definition, benefit is cost-dependent: boc < ^cc 

(p3) D = either "don't share", in which case T = bDC - c/2, while B = (0 - c/2) 

or 

(p4) D = "don't contribute", in which case T = hQQll - 0, and B = 0 
(p5) b/2 > c/2. 

Consequences 

Two alternatives may occur: 

(c'l) D = don't share: T = (bpc ‘ c/2), and S = (0 - c/2) = B; 

(c"l) D = don't contribute: T = (bDC/2 - 0), and B = 0, 

If bDC/2 < (bcc/2 - c/2), 

then (by p2) R > T; preference order is (T>R>S=B) 
if bDC/2 > (bcc/2 - c/2), 
if (bp)c/2 - c/2) > 0, 

then S > 0; preference order is (R>T>S>B) 
if (bDC/2 - c/2) < 0 

then b/2 < C/2, which is ruled out by (p5). 

Either the preference order is diferent from that which defines the PD-game 
structure, or the assumption of rational action does not hold. 

Cost-dependent distributed benefit with complementary actions . This is close to 
split a booty except that the amount of benefit is a function of whether 
complementary actions are performed. Cheat can occur at the level of action, ("don't 
contribute"), and at the level of the benefit, ("don't share"). The typical example is 
farming, in which agents perform complementary actions, and the amount (harvest) is 
determined by how much each contributes. However, since actions are 
complementary, all agents must contribute. Participants will equally share the benefit, 
although some (cheaters) will have contributed less than others. 



Thesis 7 

Preference order is different from that which defines the PD-game structure (hawk 
is not a dominating strategy). 
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Proof 7 
Premises 

(pi) By definition, benefit is distributable: R = b/2 - c/2 
(p2) By definition, benefit is cost-dependent: hQQl2 > bDC/2 
(p3) By definition, actions are complementary: D = "don't share" 

(p4) b > c. 

Consequences 

(cl) By (p3) T = (bDC - c/2) and B = (0 - c/2) 

(c2) By previous consequence, S = (0 - C/2) = B 
Preference order (T>R>S=B) (T>R>B>S). 

To sum up, in all the situations examined agents are coooperating to achieve a 
common goal. There is mutual dependence, but the degree of dependence varies with 
the benefit and action dimension considered. PD-game applies to none of those 
situations since one or other of its properties are infringed. In weaker dependence 
situations (distributable benefit and iterated actions) defection is possible although 
not dominant (see Figure 3). 
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Fig. 3: Strong and weak dependence. Room for defection 
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2.5 Reciprocal Dependence and Bargaining 

Two agents enter a relation of exchange when each contributes to the partial 
achievement of the other's goal. In particular, a special case of exchange, namely 
barter, fits comfortably the framework of a PD-game. In bargaining, x gives y to 
obtain ry, and y gives x ry to obtain r^, the value of rx for its recipient = value of ry 
for its recipient, but value of Vx for the giver is higher than the value of for the 
recipient (and the same is true for ry). 

dove = give one's resource to obtain the other's; 

hawk = give nothing. 

Recipient value = b; 

giver's cost = c; 

b > c 

R=(b-c) >0; 

T = b; 

S = (0- c) <0; 

B=0. 

In such a situation, all the properties of PD-game and the assumptions hold. 
Indeed, in one-shot bargaining, defection is a strongly dominating strategy [...]. 



3 Cooperation Is More than Honest Bargaining 

Obviously, things change if we add a temporal perspective: in repeated games, the 
more convenient solution at the individual level will also be closer to a Pareto- 
efficient solution: as mathematical analysis, and many experimental findings, and 
simulation results converge to show, the dove strategy becomes rational in repeated 
versions of the game. 

However, the dove strategy in the repeated version of the PD-game does not 
emerge from mutual dependence and cooperation: in the prospect of re-encounter, 
agents realise that they depend reciprocally on each other. In other words, they realise 
that each needs the other to reciprocate herself. But still there is no actual 
cooperation; there is no joint achievement of a common goal. There is not even a 
weak form of mutual dependence. Social intelligence leads agents to understand that 
they must come to an agreement, committing one before the other to reciprocate. 
Indeed, commitment is needed precisely when dependence does not provide a 
sufficient instrumental bind, which is another way to say that dependence is not 
mutual! A self-interested agent does not care about the achievement of a goal he does 
not share. Reciprocally depending agents do not share goals. Therefore, each will 
care about the other's goal only as long as she is able to ensure the achievement of her 
own goal. This is true alse in the repeated version of the PD-game. To sees this 
suffice to recall that in finite repeated games, rational agents will reciprocate only up 
to what they believe to be the last but one move. If they were cooperating in the full 
sense of the word, they would do so until completion of the plan (unless they drop 
their goal earlier). 
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PD is inapt to model cooperation as distinct from bargaining. Indeed, it actually 
obscures an important social matter of fact, namely, that one-shot cooperation is 
feasible. Actually in order to model cooperation, it is no use to extend the temporal 
perspective of the PD-game! This solution is still inadequate because it fails to 
distinguish cooperation from honest bargaining. GT indeed, deals with the problem of 
social contract, reciprocity, etc.. We believe such a problem exists and is important. 
But it does not cover all important pro-social phenomena. Cooperation is more than 
simply avoiding the Hobbesian state of nature. It includes executing multi-agent 
plans, that is, plans which must be executed by more than one agent in order to 
achieve a common goal. In order to grasp this notion of cooperation, it seems 
necessary to ground social interdependence on a lower-level theoretical ground, 
namely on a theory of action and planning. 



4 Concluding Remarks: Why Bother with Feasible Cooperation? 

In this paper, we endeavoured to show the role of a plan-based model of 
dependence as a baseline for checking the applicability of PD-game to ideal-type 
social situations. Thanks to such a model, we have distinguished cooperation, as 
occurring among mutually depending agents achieving a shared goal, from 
bargaining, which holds between reciprocally depending agents which achieve 
different goals. Furthermore, we have distinguished levels of mutual dependence, and 
shown that while PD-game never applies to a situation of mutual dependence, weaker 
forms of mutual dependence allow for defection as a non-dominant strategy, while 
stronger forms of mutual dependence do not allow for defection at all. 

However, a game-theorist would probably ask now, where is the problem with 
feasible emergent cooperation? If cooperation is feasible, and does not pose any 
social dilemma, paradox, etc., why bother with it? The problem for a social scientists 
becomes interesting when a dilemma is at stake. 

There are several answers to this question. First, we need a theory which provides 
grounds for payoffs interdependence. Why? Because we must be able to explain and 
predict temptation to cheat. The reasons for cheating reside in the structure of 
cooperative and non-cooperative actions and plans. Only on such grounds, we are 
able to predict when one-shot cooperation is possible and when, instead, cheating is 
likely to occur: in the case of Olson's public good, a theory of cooperation in terms of 
goals enables us to predict that agents will not cheat when they think: (a) they are 
necessary to obtain the benefit and (b) this is global! Only a theory of action which 
give grounds for payoffs enables us to make such a prediction. 

To disentangle cooperation from bargaining seems useful not only to develop a 
more exhaustive view of the variety and complexity of social life, or to predict the 
likelihood of free-riding, cheat, etc.; but also to relinquish the legend of a steadily 
ominous state of nature, calling for a "mutually agreed upon mutual coercion". 
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Abstract. What is relevant for the effectiveness of a multi-agent sys- 
tem is the interaction between agents, rather than their peculiar internal 
model. The design of a single agent architecture should then concen- 
trate on agent observable behaviour and on its interface towards the 
outside. Moreover, a multi-agent architecture should be designed around 
the choice of a suitable coordination model, accounting for all the aspects 
of agent interaction. Accordingly, the effective design of a multi-agent 
architecture should focus on the role and properties of the coordination 
media (the communication abstractions) within the coordination model, 
instead of the coordination entities (the agents). 

The main aim of this paper is to show how a multi-agent system may ben- 
efit by a coordination model whose flexibility and expressive power lies 
in the extensibility of the coordination medium. Extensibility can result 
from the embodiment of computational properties typically in charge of 
the agents into the communication abstraction. 

As an example, we show how a shared communication device a la Linda 
works as the core of a flexible coordination architecture in the Linda- 
based Acer coordination model. ACCT tuple spaces are enhanced so 
as to be reactive to communication events, rather than to communication 
state changes only. So, ACCT tuple spaces are programmable. Reactions 
to communication events can be defined through a logic-based speci- 
fication language, and have the semantics of asynchronous, mutually- 
independent atomic transactions. By defining different observable be- 
haviours for ACCT tuple spaces through reaction programming, a multi- 
agent architecture can exploit a number of different agent coordination 
policies without affecting the single agent behaviour. 

Keywords: Multi-Agent Systems, Coordination Model, Transactions, 
Extensible Communication Abstraction 



1 Introduction 

According to [14], interaction adds a fundamental dimension to computing, in 
that complexity of interactive systems makes them unsuitable for a complete 
characterisation in terms of a formal system such as, for instance, an operational 
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semantics based on state transitions. Being intrinsically interactive, multi-agent 
systems are naturally better characterised by the model of component interac- 
tion, as well as by the observational behaviour of their components, rather than 
by the rules of agent inner computation. As a result, agent architectures can 
be designed independently of agent internal models, by focussing on agent ob- 
servational behaviour, thus intrinsically providing for agent heterogeneity. As a 
further consequence, the design of a multi-agent system crucially depends on the 
choice of an adequate coordination model, suitably accounting for communica- 
tion, synchronisation, cooperation, and competition among agents. 

Due to this shifting focus from agents to agent interaction, the communica- 
tion abstraction is asked to play a major role within the coordination model. 
In particular, this paper aims to show the benefits of a flexible coordination 
model based on an extensible coordination medium for a multi-agent system. 
Extensibility can be achieved by suitably embodying computational properties 
into the communication abstraction, so that its behaviour can be properly mod- 
ified according to the system needs. One important expected consequence of 
this approach is that, once the coordination model for the multi-agent system is 
given, the choice of a particular interaction policy should not affect agent design. 
Agents could be designed according to a quite abstract model of observational 
behaviour that the communication abstraction should be able to interpret and 
handle according to the required interaction model. Indeed, this seems to be 
quite a desirable property, from both a conceptual and a practical viewpoint. 
In fact, this makes interaction policy be in charge of the coordination media [5], 
where interaction actually takes place, instead of the single coordination entities, 
which should not be conceived as having a view of the system as a whole. In 
practice, agents of a multi-agent system may often be difficult or even impossible 
to modify, so their observable behaviour could not be (easily) accommodated to 
accomplish a range of different interaction strategies. 

To show the effectiveness of this approach, we discuss the Linda-based ACCT 
coordination model [12]. By introducing the notion of generative communication 
and promoting the separation between the computation model and the coordi- 
nation model [11], based on a shared memory communication abstraction (called 
tuple space), Linda [9] provides an effective approach to the design of multi-agent 
architectures. ACCT adopts and extends the basic Linda communication kernel. 
What is relevant to the main topic of this paper is the ACCT notion of reactive 
tuple space, based on the idea of providing the communication abstraction with 
the capability to react to communication events rather than just to the global 
communication state as in standard Linda, thus lifting the system observabil- 
ity from tuples to operations on tuples. Communication operations can then be 
associated to reactions by means of a simple specification language (which is 
also based on logic tuples and basic operations over tuple spaces, thus reusing 
the same communication pattern) making it possible to program the behaviour 
of the communication abstractions in terms of event reactions. Different agent 
interaction policies can be accomplished given the same agent behaviour, since 
agents can delegate part of the synchronisation, cooperation, and competition 
load to the (extensible) communication abstraction. 
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This work is structured as follows, section 2 describes briefly ACCT reactions, 
and discusses the enhanced role of the coordination medium in the ACCT coordi- 
nation model, section 3 shows two examples of how a simple multi-agent system 
can be designed around the communication abstraction behaviour, by properly 
programming tuple space reactions to communication events. A third example 
shows how the interaction policy of a multi-agent system can be changed by suit- 
ably programming the behaviour of the coordination medium, without affecting 
the agent interaction protocol. Conclusions and final remarks are reported in 
section 4. 

2 Enhancing the Communication Abstraction 

The ACCT coordination model (first presented in [12], and originating from re- 
search activities in the robotics held [15]) extends the basic Linda coordination 
model with the notions of logic tuple space (see also [3,4]), of multiple tuple spaces 
[10], and of reactive tuple space [6]. In the ACCT model, communication takes 
place through a multiplicity of named logic tuple spaces, which are collections of 
first-order unitary clauses, uniquely identified by a ground term. In particular, 
a logic tuple space may be given a twofold interpretation, either as a simple 
communication device, or or as a knowledge repository. According to the latter 
reading, a logic tuple space can be used as a logic theory, where deductive activ- 
ities over the communication state can be performed. For this purpose, ACCT 
provides for a family of demo primitives, along with a coherent notion of logic 
consequence in a time-dependent environment [12]. 

The ACCT model is based on the notion of reactive tuple space, making tuple 
spaces reactive to communication events rather than to communication state 
changes only [6]. In addition, the response of the tuple space to communication 
events is not fixed once and for all by the communication protocol. Instead, it can 
be specified by programming the tuple space behaviour, by defining reactions to 
relevant communication events. A specification language, founded on the same 
model adopted for agent interaction, based on logic tuples and tuple spaces, is 
then defined for reaction programming. 



2.1 The Reaction Model 

The ACCT reaction model is based on the idea of defining a set of logical events, 
each denoted by a unique name, which are associated with physical (communica- 
tion) events. Multiple physical events may correspond to the same logical event, 
and, conversely, multiple logical events may be connected to the same physical 
event. The association between communication events and logical events is rep- 
resented by a special tuple of the form map (Operation, Event ) , which captures 
the idea that each time Operation is performed on the tuple space, a logical 
Event occurs. 

Logical events can be associated with reactions triggered in response to the 
event occurrence. The behaviour of each reaction is specified through a tuple of 
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the form react(Event,Goal), where the reaction body Goal is the collection of 
the primitive operations to be executed in response to the occurrence of the log- 
ical Event . Syntactically, a reaction body is defined as a conjunction of reaction 
goals. A reaction goal is an atomic formula of one of the following kinds: 

— non-blocking communication primitives (out, in_noblock, rd_noblock, . . . ) 

— state primitives (current_agent/l, current_tuple/l, current_op/l, . . . ) 

— term predicates (term equality/inequality, term unifiability/non-unifiability, 

•••) 



Since reaction goals are actually executed sequentially at the system level, their 
relative order may influence the result of the reaction. For instance, supposing 
the tuple space initially empty, the reaction 

(in_noblock(x_value(X) ) , out (x_value(X+l) ) , out(x_value(l))) 

fails, while the reaction 

(out (x.value (1) ) , in_noblock(x_value(X) ) , out (x_value(X+l) )) 

succeeds, emitting a tuple of the form x_value (1+1) . 

Since a multiplicity of react/2 tuples can be specified for the same logical 
event, multiple reactions may correspond to one logical event. Such reactions are 
executed as mutually-independent actions in a non-deterministic order. 



2.2 Reactions as Transactions 

ACCT reactions are executed with an all-or-nothing transaction semantics: a 
reaction is brought to an end if and only if all its reaction goals succeed, in 
which case all side-effect operations possibly associated with the reaction itself 
are realised simultaneously. Instead, if even one subgoal fails, the reaction is 
virtually cancelled, yielding no effect at all.^ Consider, for instance, the following 
reaction, which is supposed to have been associated with the out operation:^ 

(current_tuple(p(_)) , in_noblock(p(a)) , in_noblock(p(X) ) , out (pp(a,X) )) 

Each time a new tuple is inserted in the tuple space, this reaction checks for the 
presence of two p/1 tuples (whose one should be p(a)) and then replaces them 
with one single pp/2 tuple. If some part of the reaction fails (possibly because 
there is only one p/ 1 tuple instead of the two required), the reaction has no effect 

^ As a further consequence, reactions executed in response to communication events 
triggered by another reaction are handled only after such reaction has been success- 
fully completed (or, of course, are cancelled if the same reaction fails). Accordingly, 
the ACCT reaction scheme does not allow reaction nesting. 

^ Although ACCT exploits multiple tuple spaces, we will henceforth leave this feature 
aside, since it is not relevant in the context of this work. Thus, we will always refer 
any communication primitive to a sort of “default tuple space” , without specifying 
any tuple space name. 
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at all, and appears as never having happened at the agent perception level. So, no 
tuples are actually removed from the tuple space, nor are any other side-effects 
ever performed.^ As a result, the communication abstraction behaves so that 
the simultaneous presence of the two p/ 1 tuples is perceived by the multi-agent 
system as the single pp/2 tuple. 

As shown in subsection 2.1, multiple reactions to the same logical event, as 
well as multiple logical events mapping the same communication event, trigger 
the execution of a multiplicity of reactions. In addition, a reaction may trigger 
other reactions as a consequence of its successful completion, since it may contain 
communication primitives. So, it is possible for many reactions to be executed 
in response to one communication event. The key point is that all such reactions 
(both those directly triggered by the event, and those triggered by other reactions 
produced by the event) are actually executed before serving any other agent- 
triggered communication event. As a result, agents can only perceive but the 
final result of the execution of both the communication event and the set of all 
the reactions triggered by it both directly and indirectly. 

Generally speaking, reactions enhance the expressive power of the coordi- 
nation model. Thanks to the execution model of ACCT reactions, agents still 
perceive the response of a tuple space to a communication event as a single 
computational step, a single transition of the tuple space state. However, such 
a transition is no longer bounded to be simple (adding/deleting one tuple) and 
fixed by the model, but can instead be defined to be as complex as desired by 
programming reactions. For instance, in the example above, when viewed from 
an agent perspective, the simultaneous presence of the two p/ 1 tuples is never 
perceived, and one single out operation results both in the removal of a tuple 
and in the insertion of another. Moreover, the inserted tuple is not exactly the 
one specified by the out operation, but is related both to that one, and to the 
state of the tuple space. 

As a result, the observational behaviour of the communication abstraction in 
response to a communication event can be modelled through reaction program- 
ming. This can be used to carry out different agent interaction policies without 
affecting agent models. By freeing agents from the charge of explicitly handling 
a (possibly complex) interaction protocol, ACCT allows coordination entities 
to be designed according to a straightforward communication protocol, while 
charging the coordination media of most of the coordination tasks. 

The following section shows some meaningful examples of small multi-agent 
systems. 

3 Examples 

3.1 Transmission of an Encrypted Message 

Suppose that a long message has to be transmitted in an encrypted form by 
agent A to agent B. Due to the message length, the computational load required 

® In particular, no implicit knowledge classification is performed in response to the 
injioblock operation: see [12,7] for further details. 
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to encode and decode it with a safe (yet computationally heavy) two-key (private 
and public) algorithm would likely be unacceptable. A typical approach consists 
then of encrypting the message using a (much simpler) single-key algorithm, 
which calls for a safe way to let the receiver know the encoding key. Since this 
key is always relatively short, it can be safely transmitted using the two-key 
algorithm without a high computational cost. 

More precisely, to safely send message M to B, the sender A should: 

— choose the key KM to encrypt M, producing the encrypted message CM ; 

— read from the key directory the public key of B, KpubB, and use it to encrypt 
the key KM, thus producing CKM; 

— emit both CM and CKM in the proper tuple space, by means of two out 
operations. 

On its side, the receiver B should: 

— wait for the tuple representing the encrypted key, CKM ; 

— using its private key, KprivB, decrypt CKM so as to restore the message 
encryption key, KM] 

— wait for the encrypted message CM] 

— use the key KM to decode the message, thus rebuilding the original message 
M. 

While the sender’s activity is just a sequential process, requiring no synchroni- 
sation, the receiver’s activity requires that two distinct message components are 
available in order to rebuild the message. So, B should either remain waiting for 
such components or poll regularly the tuple space checking for their availability. 
In either case, it would be in explicit charge of handling an irrelevant activity, yet 
without knowing which of the two message components will appear first. This 
may result in a deadlock situation in the case that one of them, for whatever 
reason, is not produced properly. 

Suppose, for instance, that B's activity is expressed in a code like 

in_noblock(msg_key(To,MsgID,CKM) ) , 
in(encoded_msg(MsgID,CM) ) , ... 

If, after getting a tuple like msg_key(To,MsgID,CKM), the subsequent message 
tuple encoded_msg(MsgID,CM) is never received (for instance, because it gets 
lost), B would remain suspended forever. If, in order to avoid this behaviour, 
in(encoded_msg(MsgID,M) ) is transformed into a non-blocking in operation 
in_noblock(encodedjnsg(MsgID,M)), B should then handle the message queue 
on its own, while it would be preferable to not be concerned with such synchro- 
nisation activities at all. 

In Acer , instead, the deadlock risk could be avoided by programming the 
tuple space behaviour so as to make the simultaneous presence of the two re- 
quired information chunks perceivable at the agent level as a single event. This 
could be done by simply associating the following reaction to all out events, 
succeeding only if both message components are available: 
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(in_noblock (msg.key (To , MsgID , CKM) ) , injioblock (encoded_msg (MsgID , CM) ) , 
out (decode (To , CKM , CM) ) ) 

The result of such a (successful) reaction would then be the production of a 
tuple of the form decode (To, CKM, CM), which can be decoded by the receiver 
by means of its private key, thus obtaining the encryption key K, to be used 
to decode the message from A. Thus, B has simply to either regularly poll the 
tuple space with a in_noblock (decode (BID, CKM, CM)), or to suspend itself on 
an in(decode(BID,CKM,CM)), waiting for such a tuple to become available. 



3.2 The Dining Philosophers 

As an example of the flexibility provided by the extensibility of the commu- 
nication abstraction to the AC CAT model, we discuss an implementation of the 
classical dining philosopher problem [8], based on reactions. The main character- 
istic of this problem is that, in order to avoid deadlock situations, a philosopher 
should either get the two forks he needs to eat, or get none. This means that the 
two forks should be obtained through a transaction. Moreover, in order to ensure 
fairness, both fork acquisition and fork release should be performed atomically. 

When trying to express the solution to this problem in Linda, the main prob- 
lem is that the natural choice of modelling the fork acquisition as a sequence of 
two in operations is not transactional, thus yielding a potential risk of deadlock. 
In that framework, a safe solution requires that the user explicitly handles a 
locking mechanism, thus affecting the agent behaviour. Instead, using AC CAT re- 
actions, transactionality is guaranteed by suitably programming the tuple space 
behaviour, with no need for a more complex agent protocol. 

Philosopher agents are designed according to a very straightforward interac- 
tion protocol, which can be described as follows. When a philosopher wants to 
eat, he tries to acquire the two forks through an in(f orks (FI , F2) ) operation. 
When he is satiated, and wants to start thinking, he gives the forks back by 
means of an out (release (FI, F2)) operation. Given such a simple protocol, 
it should be obvious that all the charge of the interaction policy is up to the 
communication abstraction. 

The request for forks is recorded in the tuple space with a tuple of the form 
required (FI , F2) ) , signalling the philosopher is waiting to eat, and is retracted 
when the philosopher has been served and can start eating. This is achieved by 
the following reaction, which transforms a communication event (a performed in) 
into an explicit tuple, recording such an event into the tuple space state. In fact, 
the required (FI ,F2) tuple indicates that a hungry philosopher has performed a 
fork request through an in operation, and that it is currently suspended waiting 
for fork availability. 

map (in, hungry) . 

react (hungry , (current_tuple (forks (FI, F2) ) , pre, 

out (required (FI , F2) ) 

)). 
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react (hungry , (current_tuple(forks(Fl,F2)) , post, 

in_noblock (required (FI ,F2) ) 

)). 

Each available fork is represented by a tuple of the form fork(Forfc). Fork 
release by a philosopher is handled by the following reaction. 

map (out, thoughtful). 

react (thoughtful , (current_tuple (release (FI , F2) ) , 

out (f ork(Fl) ) , 
out (f ork(F2) ) , 
in_noblock(release (FI ,F2) ) 

)). 

Reaction atomicity ensures that the two forks are released at the same time, 
thus avoiding the unfairness which could be produced by any sequentialisation 
of the two out operations. 

Finally, the tuple space is programmed so as to try to serve a request, if 
possible, whenever a fork is released, or a new fork request is performed. 

map (out, reserve). 

react (reserve , (current_tuple (required (FI ,F2) ) , 

in_noblock(f ork(Fl) ) , 
in_noblock(f ork(F2) ) , 
out (forks (FI , F2) ) 

)). 

react (reserve , (current_tuple (f ork(F) ) , 

rd_noblock(required(Fl,F)) , 
in_noblock(f ork(Fl) ) , 
in_noblock(f ork(F) ) , 
out (forks (FI ,F) ) 

)). 

react (reserve , (current_tuple (f ork(F) ) , 

rd_noblock (required (F,F2) ) , 
in_noblock(f ork(F) ) , 
in_noblock(f ork(F2) ) , 
out (forks (F , F2) ) 

)). 

The transaction semantics ensures that the forks are reserved only when they are 
both available and needed by someone, and reserved for the proper philosopher. 
Should one of these conditions not hold, reaction would fail and would not have 
any effect on the tuple space at all. 

The agent model does not need to be specialised in order to accomplish the 
competition protocol: a philosopher simply asks for forks when hungry, and sets 
them free when satiated. Agent design can then concentrate on modelling its in- 
ternal architecture, while its interaction model results in being quite simple and 
intuitive. A good deal of the intelligence of the system is then in charge of the 
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interaction protocol, which is only of little concern for the single agent. Thus, the 
communication abstraction is extended through suitable reaction programming 
until it makes the system behave correctly, independently from the agent internal 
model: the only thing needed is that philosopher agent emerging behaviour (its 
interaction model) accomplishes the very straightforward acquire /release proto- 
col. 

3.3 Philosophers Dining with Labelled Forks 

In order to show how an interaction policy can be modified and made more com- 
plex by changing the behaviour of the coordination medium, without affecting 
the interaction protocol of the coordination entities, we discuss a slight variation 
of the Dining Philosopher example, discussed in subsection 3.2. The basic prob- 
lem is changed in that now there are three forks for each position on the table, 
each one labelled differently according to the kind of meal for which it has to 
be used: breakfast, lunch, or dinner. At any moment in the multi-agent system, 
it is either breakfast, lunch, or dinner time. When it is lunch time, for instance, 
only lunch forks can be given for eating. However, a slowly-eating philosopher 
is allowed to keep on having his meal as long as he needs. So, if he starts eating 
at dinner time, he will be given dinner forks, and will be allowed to keep them 
for eating even when breakfast time comes around. 

With respect to subsection 3.2, the tuple space representation of the forks 
is changed from fork (Forfc) to labelledforkO'fea I ,Forfc) , representing the 
fork Fork which can be used at Meal time. Moreover, a timef or (Meal ) tuple 
is assumed to be always in the tuple space, so that at any time it is possible to 
determine which forks to allocate to hungry philosophers. This task obviously 
may be charged to a simple agent, signalling the system when it is time to 
switch (from breakfast to lunch, from lunch to dinner, and from dinner back to 
breakfast). Such an agent could simply perform an out (switch) operation on the 
tuple space, which could be simply programmed to properly react consistently, 
for instance as follows: 

map (out, next). 

react(next, (current_tuple (switch) , in_noblock(switch) , 
in_noblock(timef or (breakfast) ) , 
out (timef or (lunch))) . 

react(next, (current_tuple (switch) , in_noblock(switch) , 
in_noblock(timef or (lunch) ) , 
out (timef or (dinner))) . 

react(next, (current_tuple (switch) , in_noblock(switch) , 
in_noblock(timef or (dinner) ) , 
out (timef or (breakfast))) . 

The main thing here is that philosophers are supposed to be totally unaware of 
this (as of most of the things of life). In fact, whenever a philosopher gets hungry, 
he simply asks for forks, unconcerned with time, whose handling is instead in 
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charge of the tuple space reactions. As a result, the philosopher protocol is 
exactly the same of the Dining Philosopher example in subsection 3.2. Unlike 
that example, however, it may happen that two contiguous philosopher sharing 
a fork position can eat at the same time, thus exploiting the availability of 
more resources - three forks instead of one. Take for instance the case of a two- 
philosopher system, in which both get hungry at breakfast time. Only one of 
them (the lucky philosopher) will be assigned of the breakfast forks, while the 
other (the unlucky philosopher) will be forced to wait. When lunch time comes, 
and the lucky philosopher insists on eating, the unlucky one may still be allowed 
to eat on his own, since the lucky philosopher is using breakfast forks, and lunch 
forks are free. Thus, the two philosophers can eat together, one having lunch, 
the other continuing his breakfast. 

In order to achieve this behaviour, we have simply to modify slightly the 
reactions of subsection 3.2: 

map (out, reserve). 

react (reserve , (current_tuple (required (FI, F2)) , 

rd_noblock(timef or (M) ) , 
in_noblock(labelledf ork(M,Fl) ) , 
in_noblock(labelledf ork(M,F2) ) , 
out (used(M,Fl ,F2) ) , 
out (forks (FI , F2) ) 

)). 

react (reserve , (current_tuple (labelledf ork(M,F) ) , 

rd_noblock(required(Fl,F)) , 
rd_noblock(timef or (M) ) , 
in_noblock(labelledf ork(M,Fl) ) , 
in_noblock (labelledf ork(M,F) ) , 
out (used (M, FI ,F) ) , 
out (forks (FI ,F) ) 

)). 

react (reserve , (current_tuple (labelledf ork(M,F) ) , 

rd_noblock (required (F,F2) ) , 
rd_noblock(timef or (M) ) , 
in_noblock (labelledf ork(M,F) ) , 
in_noblock(labelledf ork(M,F2) ) , 
out (used(M,F,F2) ) , 
out (forks (F , F2) ) 

)). 

react (reserve , (current_tuple(timefor(M)) , 

rd_noblock (required (FI, F2)) , 
in_noblock(labelledf ork(M,Fl) ) , 
in_noblock(labelledf ork(M,F2) ) , 
out (used(M,Fl ,F2) ) , 
out (forks (FI , F2) ) 

)). 
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map (out, thoughtful). 

react (thoughtful , (current_tuple (release (FI , F2) ) , 

in_noblock(used(M,Fl,F2)) , 
out (labelledf ork(M,Fl) ) , 
out (labelledf ork(M,F2) ) , 
in_noblock(release (FI ,F2) ) 

)). 

The interaction policy discussed in this example can be adapted to any case of 
renewable cyclic shared resources with limited lifespan, like in the case of clerks 
in a postoffice: some of them working (i.e., being available) from Gam to 12pm, 
some others from 12pm to 6pm, (supposedly) every day. However, what this 
example really aims to show is how reaction programming can be exploited to 
modify the behaviour of a multi-agent system with no change to the behaviour 
of the agents. New notions (like meal time, and labelled forks) are introduced 
in the system, new resources are made available (more forks), a new policy for 
resource assignment is adopted, but the philosopher agents are allowed to keep 
on using the same straightforward acquire/release forks protocol of the example 
in subsection 3.2. 

4 Conclusions 

This work is inspired by the observation that multi-agent systems are intrinsi- 
cally interactive systems [14] whose effectiveness crucially depends on the model 
adopted for agent coordination. Thus, as far as a single agent architecture is 
concerned, only agent observational behaviour needs be accounted for in the 
multi-agent system design. Instead, a major role has to be played by the commu- 
nication abstraction, which has to be expressive and flexible enough to support 
the definition of a wide range of communication and synchronisation policies. 

As an example, we discussed the ACCT coordination model. We showed 
how the behaviour of ACCT logic tuple spaces can be programmed by specify- 
ing reactions to communication events. Reactions are defined through a con- 
veniently expressive specification language, and have the semantics of asyn- 
chronous, mutually-independent atomic transactions. By exploiting reactions, 
multi-agent systems can delegate synchronisation, cooperation, and competition 
charges to the communication abstraction. 

Other different coordination models deeply rely on a notion of reaction. The 
chemical metaphor of Gamma [1] allows very general coordination laws to be 
specified in terms of reaction conditions and of consequent actions. However, no 
communication abstraction is provided, nor is any agent interaction protocol. As 
it can be argued from the Dining Philosopher example shown in [2] , reactions are 
the only means for the evolution of a multi-agent system based on Gamma, since 
the model does not account for agent deliberative activity. Moreover, Gamma 
reactions are to be seen as high-level specifications ruling the evolution of a multi- 
agent system, independent of any computation model, while the specification of 




Designing Multi-Aagent Systems 101 



an Acer reaction actually corresponds to a precise operational behaviour of 
the system. 

Like ACCT, the ESP coordination language [4] is based on the notion of 
multiple logic tuple space, and exploits reactiveness of the tuple space. However, 
the computational shift from the agents to the communication abstraction is 
even stronger than the ACCT one. ESP tuple spaces are at the core of all the 
computational activity, and the ESP notion of agent is reduced to a purely 
reactive execution thread. 

Even though the examples discussed in this paper are quite simple, we are 
confident that the benefits of such an approach emerge more clearly when more 
complex applications are considered. Thus, further work will be devoted to test 
the effectiveness of the model in more complex domains, by exploiting the ACCT 
implementation based on SICStus Prolog 3 [13], which is currently working on 
a network of workstations. 
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Abstract. In describing the interactions between agents we can take 
either a global view, where the set of all agents is seen as one big system, 
or a private view, where the system is identified with a single agent and 
the other agents form a part of the environment. Often a global view is 
taken to fix some protocols (like contract net) for all the possible social 
interactions between agents within the system. Privately the agents then 
have fixed reaction rules to respond to changes in the environment. In a 
sense the agents are no longer autonomous in that they always respond in 
a fixed way and their behaviour can be completely determined by other 
agents. In this paper we investigate the case where there might not be 
a (or one) fixed protocol for the social interaction and where the agents 
do not necessarily react in the same way to each message from other 
agents. We distinguish between the agents perception of the world and 
the ’’real” state of the world and show how these views can be related. 

Keywords: Multi-Agent Systems, Multi-Modal logic. Communication, 
Speech acts. 



1 Introduction 

In the area of Multi- Agent Systems much research is devoted to the coordination 
of the agents. Many papers have been written about protocols (like contract net) 
that allow agents to negotiate and cooperate (e.g. [19,4]). Most of the cooperation 
between agents is based on the assumption that they have some joint goal or 
intention. Such a joint goal enforces some type of cooperative behaviour on 
all agents (see e.g. [3,13,23]). The conventions according to which the agents 
coordinate their behaviour is hard-wired into the protocols that the agents use 
to react to the behaviour (cq. messages) of other agents. 

This raises several issues. The first issue is that, although agents are said to 
be autonomous, they always react in a predictable way to each message. Namely 
their response will follow the protocol that was built-in. The question then arises 
how autonomous these agents actually are. It seems that they react always in 
standard ways to some stimulus from other agents, that can therefore determine 
their behaviour. 
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Besides autonomy, an important characteristic of agents is that they can 
react to a changing environment. However, if the protocols that they use to 
react to (at least some part of) the environment are fixed, they have no ways 
to respond to changes. For instance, if an agent notices that another agent is 
cheating it cannot switch to another protocol to protect itself. (At least this is 
not very common) . In general it is difficult (if not impossible) for agents to react 
to violations of the conventions by other agents. 

As was also argued in [21], autonomous agents need a richer communica- 
tion protocol than contract net (or similar protocols) to be able to retain their 
autonomy. A greater autonomy of the agent places a higher burden on the com- 
munication. An autonomous agent might negotiate over every request it gets. In 
this paper we will describe a mechanism to avoid excessive communication. It 
is similar to the one employed in [21], but defined more formally and still more 
generally applicable. 

Negotiation between autonomous agents is only necessary if the agents do 
not have complete knowledge of the state of the world. If they did have complete 
knowledge (including knowledge about the state of minds of the other agents) 
they could calculate the optimum deal for both agents and agree in one step. 
This fact makes it important to distinguish between private and global views of 
the state of the world. And even more important the private and global view 
of actions and communication. We argue that agents do not only have limited 
knowledge of the world, but that they also can only acquire limited knowledge 
about the world. This holds especially for knowledge about the state of mind of 
other agents. In general it is not efficient for each agent to be able to ’’test” the 
truth of any statement about the world. This would require that all agents use 
the same language and have access to all facts about the world. However, one 
reason to introduce agents is to split up the work in manageable packets that 
can be handled by different agents. Each agents only reasons about its own part 
of the data. I.e. one agent for managing the weather reports and another agent 
to handle stock prices. 

The same principle holds for the reasoning about actions. An agent cannot 
take into account all possible actions of other agents and possible events occur- 
ring in the environment. If an agent could do this, no unforeseen circumstances 
could arise and the goals would always be reached. Therefore, we assume that 
agents can only reason about a limited set of influences on their actions. 

However, in order to describe the ’’actual” effect of actions (and especially 
communication) we need to use a global (agent independent) view. In this case 
the set of all agents is seen as one system. Using a global view on communi- 
cation we can describe properties of communication protocols and proof their 
termination, fairness, etc. 

In this paper we show how to describe the formal effects of communication 
both in the private view as well as in the global view. This gives rise to an 
integrated formal framework for communicating agents. An important aspect in 
the description of the effects of the communication is the use of deontic concepts. 
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This enables us to describe commitments resulting from communication without 
destroying the autonomy of the agents. 

The second important point in this paper is the distinction between the pri- 
vate and the global view of the world in a formal framework and more specifically 
what are the consequences for the communication between agents. We describe 
a formal framework for communication that can be used to model all types of 
protocols. Instead of fixing some protocol the framework indicates possible mean- 
ingful sequences of messages for certain situations and goals of the agents. For 
instance, after a proposal is received a counterproposal can be given. However, it 
does not make sense to follow up a proposal with an identical counterproposal. 
The ultimate goal is to formally describe communication rules for autonomous 
agents. With these rules the effects of communication protocols (like contract 
net) can be calculated and more flexible ways of dealing with communication 
protocols can be devised. 

In the next section we describe the four components that we use to describe 
autonomous communicating agents. In section 3 we show how communication 
can be formally described using our formalism, using the communication primi- 
tives for negotiating agents in the ADEPT system ([21]) as example. In section 4 
we describe the differences between the local and global view on communication. 
In section 5 we give a sketch of a formalisation of the framework given in the 
previous sections. We give some conclusions in section 6. 

2 Communicating Agents 

The definition of the agents is based on the framework developed in [8,9]. How- 
ever, we added a private view on the actions. The concepts that we formalise can 
roughly be divided over four different components: the informational component, 
the action component, the motivational component and the social component. 
For readability we will mention all the concepts (including the ones described in 
previous publications) of each of these components in the following subsections. 
However, we will only go into the details of those concepts that are new for this 
paper. 

2.1 The Informational Component 

At the informational level we consider both knowledge and belief. Many formal- 
isations have been given of these concepts and we will follow the more common 
approach in epistemic and doxastic logic: the formula Ki(j) denotes the fact that 
agent i knows 4> and Bi<f) that agent i believes (j). We demand knowledge to obey 
an S5 axiomatisation, belief to validate a KD45 axiomatisation, and agents to 
believe all the things that they know. 

2.2 The Action Component 

In the action component we consider both dynamic and temporal notions. The 
main dynamic notion that we consider is that of actions, which we interpret as 
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functions that map some some state of affairs into another one. Following [12,26] 
we use parameterised actions to describe the event consisting of a particular 
agent’s execution of an action. We let a(i) indicate that agent i performs the 
action a. 

We can reason about the results of actions on both a private level and a global 
level. The global level reasoning is the ’’standard” one using dynamic logic as 
described by Harel in [11]. We use [a{i)](j) to indicate that z/ agent i performs 
the action indicated by a the result will be (j). I.e. no matter what happens, if 
agent i performs a the system will change to a state where (j) holds. Note that 
this is a very strong statement! No unforeseen action can disturb the execution 
of a by i. 

We also introduce a private level of reasoning about actions in this paper. 
We use [a{i)\j(f) to indicate that agent j concludes that (j) will hold z/ agent z 
performs the action indicated by a. Each agent j will only consider a subset 
of all possible actions that might intervene with a. For instance, it might be 
that [read — record]jKj (correct number of computers sold this year). 
But if j did not consider that agent z could just update the sales database at 
the same time we also have (globally) ^[read — record]Kj (correct number 
of computers sold this year). 

Besides these formulas that indicate the results of actions we also would like 
to express that an agent has the reliable opportunity to perform an action. This 
is done through the predicate OPP: OPP{a{i)) indicates that agent z has the 
opportunity to do a, i.e. the event o;(z) will possibly take place. 

Besides the OPP operator, which already has a temporal flavour to it, we 
introduce two genuinely temporal operators: PREV , denoting the events that 
actually just took place, and the ’’standard” temporal operator NEXT, which 
indicates, in our case, which event will actually take place next. We also define a 
more traditional NEXT operator on formulas in terms of the NEXT operator 
on events. 

NEXT{<f)) iff NEXT{a(i)) A [a(i)](j) 

This means that the formula (j) is true in all next states iff an action a{i) is 
performed next and the formula (j) is true after the performance of a(i). 

In this paper we introduce two special action types. These are the test ac- 
tion and the Reveal action. Both actions have an epistemic character. Although 
the test action is already introduced in standard dynamic logic, we give it an 
epistemic flavour conform [17]. I.e. after z tests the truth of a formula z knows 
whether the formula is true or not. The test action on formula (j) is written as 
(j>7. So, more formally we have: 



^ [</.?(z)]if, (-</.) 

As we argued before, an agent cannot test every possible formula. Every agent 
has a restricted domain on which it can perform tests. However, an agent z can 
reveal certain information to an agent j by using the reveal action. The result of 
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this action is that agent j can test the truth of that formula himself. Formally: 

[Reveal{iJ, </>)]OPP(^? (j)) 

The reveal action is especially useful to function as grounding mechanism for 
discussions about the validity of some formula. It is equivalent to the physical 
action of showing some evidence as support to your claim. 

2.3 The Motivational Component 

In the motivational component we consider a variety of concepts, ranging from 
preferences, goals and decisions to intentions and commitments. The most fun- 
damental of these notions is that of conditional preferences. (See also [1,16]). 
Formally, (conditional) preferences are defined as the combination of implicit 
and explicit preferences. A formula (j) is preferred by an agent i in situation ip, 
denoted by Prefi{p\ip), iff p is true in all the states that the agent considers 
desirable when ip is true, and p is an element of a predefined set of (explicitly pre- 
ferred) formulas. We assume a (total) ordering between the explicit preferences 
of each agent in each world. (The ordering may vary between worlds because 
the preferences are conditional upon some statement to hold true.) The use of 
conditional preferences, instead of the traditional ’’desires”, makes it possible 
to use the qualitative decision theory developed in [1,16] and also to make a 
connection with game theoretic work used for negotiations between agents (see 

e.g. [22]). 

Goals are not primitive in our framework, but instead defined in terms of 
preferences. Informally, a preference of agent i constitutes one of z’s goals iff i 
knows that the preference does not hold yet, but is achievable. Formally: 

Achievip = 3p) : [p){i)]ip A OPP{p){i)) 

Note that we use [p){i)]ip to indicate that agent i privately concludes that p 
holds after performing pi. In most cases it will hold that (globally) -^\(3{i)\p or 
even [pi{i)\-^p. 

A goal is now formally defined as a preference that does not hold but is achiev- 
able: 

Goali{p\ip) = Prefi{p\ip) A ~^p A AchieVip 

Note that our definition implies that there are three ways for an agent to drop 
one of its goals: since it no longer considers achieving the goal to be desirable, 
since the preference now holds, or since it is no longer certain that it can achieve 
the goal. This shows that our framework complies to the standard notions of 
goals given in e.g. [2]. 

Goals can either be known or unconscious goals of an agent. Most goals will 
be known, but we will later on see that goals can also arise from commitments 
and these goals might not be known explicitly. 

Intentions are divided in two categories, viz. the intention to perform an 
action and the intention to bring about a proposition. The latter category of 
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intentions is seen as goals in our framework. We define the intention of an agent 
i to perform a certain action a as primitive, denoted by INTia. An intention to 
perform an action is based on the decision to try to reach a goal. The agent can 
only make a decision to try to achieve the goal that has the highest preference 
(the utility principle). Because the order of the preferences may differ in each 
world, this does not mean that once a goal has been fixed the agent will always 
keep on trying to reach that goal (at least not straight away). The above is 
described formally by 

7 ^ OPP{DEC{i,a)) iff 3(j) : Goali{(j)\^)/\ 

7 ^ [a; P{i)](l> A ^3V’(Pre/*('0|7) ^ 4> <i ‘ip) 

OPP{DEC{i,a)) [DEC{i,a)]INTia 

There is no direct relation between the intention to perform an action and 
the action that is actually performed next. We do, however, establish an indirect 
relation between the two through a binary implementation predicate, ranging 
over pairs of actions. The idea is that the formula IMPi{a\, a 2 ) expresses that 
for agent i executing «2 is a reasonable attempt at executing a\. 

Having defined the binary IMP predicate, we may now relate intended ac- 
tions to the actions that are actually performed. We demand the action that is 
actually performed by an agent to be an attempt to perform one of its intentions. 
Formally, this amounts to the formula 

{INT,{ai{i)) A NEXT{a 2 {i))) ^ /MP,(ai, aa) 

The last concept that we consider at the motivational level is that of com- 
mitment. Many interpretations have been given to the concept of commitment 
(see e.g. [2,13,15]). We chose a deontic interpretation of commitment. That is, 
a commitment of an agent to reach a goal is expressed as an obligation of the 
agent towards itself to reach the goal. Although the obligation does not ensure 
the actual performance of the action by the agent, it does have two practical 
consequences. If an agent commits itself to an action and afterwards does not 
perform the action a violation condition is registered, i.e. the state is not ideal 
(anymore). 

The second consequence of registering a commitment as an obligation is, as 
we argued in [6], that obligations lead to (conditional) preferences which are 
ordered. From this it follows that an agent will be very committed to a goal 
if the preference following from a commitment has a very high ranking. In the 
other hand the commitment of an agent towards a goal is low if the generated 
preferences get a low ranking. 

The relation between obligations and preferences is formally described as follows: 

Vz, j, (pPrefi{(l)\Oij{(j))) 



and for actions: 

Vz, j, aPrefi {PREV (a(z)) jOy (a(z))) 
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Note that the latter is sufficient to create a goal if i has the opportunity to 
perform a, because PREV{a{i)) does not hold presently (the action is not per- 
formed yet when the obligation arises) and it is achievable (by performing the 
action a{i). 

The above connection between commitments and preferences (and thus goals) 
makes our agents sincere. Whenever an agent commits itself there automatically 
arises a preference to fulfil the commitment. Whether the commitment is kept 
depends on the priority of the resulting preference and the achievability of it. 
This is especially important if the commitment is made towards other agents. 
In that case the commitment forms a part of the social component. We will say 
more about the social component in the next section. 



2.4 The Social Component 

The COMMIT described in the previous section is one of the four types of 
speech acts [24] that play a role in the social component. Speech acts are used 
to communicate between agents. The result of a speech act is a change in the 
doxastic or deontic state of an agent, or in some cases a change in the state of the 
world. The speech acts are the main actions for which synchronization between 
agents is essential. A speech act always involves at least two agents; a speaker 
and a hearer. If an agent sends a message to another agent but that agent does 
not ’’listen” (does not receive the message) the speech act is not successful. We 
will describe the speech acts first on the global level to indicate the interaction 
between the agents. Then we will show the private views of the agents on the 
speech acts. 

The most important feature in which our framework for speech acts differs from 
other frameworks for speech acts (based on the work of Searle) is that a speech 
act in our framework is not just the sending of message by an agent but is the 
composition of sending and receiving of a message by two (or more) agents! 

We distinguish the following speech act types: commitments, directions, dec- 
larations and assertions. The idea underlying a direction is that of giving orders, 
i.e. an utterance like ‘Pay the bill before next week’. A typical example of a 
declaration is the utterance ‘Herewith you are granted permission to access the 
database’, and a typical assertion is ‘I tell you that the earth is flat’. Each type 
of speech act should be interpreted within the background of the relationship 
between the speaker and the hearer of the speech act. In particular for directions 
and declarations the agent uttering the statement should have some kind of basis 
of authority for the speech act to have any effect. 

We distinguish three types of relations between agents: peer relation, power 
relation and authorization relation. The first two relations are similar to the ones 
used in the ADEPT system [21,14]. The power relation is used to model hierar- 
chical relations between agents. We assume that these relations are fixed during 
the lifecycle of the agents. Within such a relation less negotiation is possible 
about requests and demands. This reduces the amount of communication and 
therefore increases the efficiency of the agents. 
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The peer relation exists between all agents that have no prior contract or obli- 
gations towards each other (with respect to the present communication). This 
relation permits extensive negotiations to allow a maximum of autonomy for the 
agents. 

The last relation between agents is the authorization relation which is a type of 
temporary power relation that can be build up by the agents themselves. 

The power relation is formalized as a partial ordering between the agents, 
which is expressed as follows: z j means that j has a higher rank than i. 

The authority relation is formalized through a binary predicate auth; auth{i, a) 
means that agent i is authorised to perform a. It seems that this specifies a 
property of one agent, however, the other agent is usually part of the specification 
of a. Therefore the authorization to perform an action implicitly determines an 
authorization relation between the agents involved in that action as well. 

One way to create the authorisation relations is by agent j giving an im- 
plicit authorisation to i to give him some directives. For example, when agent 

1 orders a product from agent j it implicitly gives the authorisation to agent 
j for demanding payment from i for the product (after delivery). We will see 
later that most communicative actions have also implicit components and effects 
that are usually determined by the context and conventions within which the 
communication takes place. 

Besides the implicit way to create authorizations, they can also be created 
explicitly by a separate speech act which is formally a declaration that the 
authorization is true. 

The speech acts themselves are formalised as meta-actions (based on earlier 
work [5]): 

— DIR{x,i,j,a) formalises that agent i directs agent j to perform a on the 

basis of X, where x can be either peer, power or authority. 

— DECL{i, /) models the declaration of i that / holds. 

— ASS{x,i,j, f) formalises the assertion of i to agent j that / holds. 

— COMMIT{i, j, a) describes that i commits itself towards j to perform a. 

Note that the commit and the declarative do not take a relation parameter. This 
is basically because the effect of a commit is the same irrespective of the relation 
between the agents, while the declarative does only involve one agent. 

A directive from agent i to agent j to perform a results in an obligation of j 
towards i to perform that action z/ agent z was either in a power relation towards 

2 or was authorized to give the order. In a similar way the assertion of proposition 
/ by z to J results in the fact that j will believe f if I had authority over j . 
Creating the authorizations is an important part of the negotiation between 
agents when they are establishing some type of contract. On the basis of the 
authorizations that are created during the negotiation some protocol for the 
transactions between the agents can be followed quick and efficiently. (See [25] 
for more details on contracts between agents). 

Formally, the following formulas hold for the effects of commitments, orders 
and declaratives: 
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- [COMMIT{i,j, a)] [DECL{j, P,, (a(f)))]Oy a 

- auth{i, DIR{authority,i, j,a)) [DIR{authority,i,j,a)]Ojia 
“ j z — > [DIR{authority,i,j,a)]Ojia 

- [DIR{peer,i,j,a)]KjINTia{j) 

- auth(i,DECL(i,f)) \DECL(i,f)]f 

- [DECL{i,f)]PreMf\true) 

- [ASS{peer,i,j,f)]KjBif 

- auth{i, ASS {authority, i, j, f)) [AS S {authority, i, j, f)]Bjf 

- j <^i^ [ASS{power,i,j,f)]Bjf 

A commitment always results in a kind of conditional obligation. The obliga- 
tion is conditional on the permission of the agent towards which the commit- 
ment is made. (This is very close to the ACCEPT action in other frameworks). 
The giving of permission is formally described by [DECL{j, Pij{a{i)))], where 
Pij{a{i)) = ~^Oij{a{i)). I.e. the permission to perform a is equivalent to the fact 
that there is no obligation to perform the negation of a. 

The permission of j is necessary because j might play a (passive) role in the 
action a initiated by i. Of course j must be willing to play its part. It signi- 
fies this by giving the permission to z. In contrast to the other speech acts no 
precondition has to hold for a commitment to obtain its desired result. 

A directive from agent z results in an obligation of agent j (towards z) if 
agent z was authorised to give the order or z has a power relation towards j . 

If i has no authority or power over j then the directive is actually a request. It 
results in the fact j knows that z wants him to perform a. If j does not mind to 
perform it can commit himself to perform a and create an obligation. 

Assertions can be used to transfer beliefs from one agent to another. Note 
that agent j does not automatically believe what agent z tells him. We do assume 
that agents are sincere and thus we have the following axiom: 

OPP{ASS{x,t,j,f))^BJ 

That is, an agent can only assert facts that it believes itself. 

The only way to directly transfer a belief is when agent i is authorised to make 
a statement. Usually this situation arises when agent j first requested some 
information from z. Such a request for information (modelled by a directive 
without authorisation) gives an implicit authorisation on the assertions that 
form the answer to the request. 

A declaration can change the state of the world if the agent making the 
declaration is authorised to do so. (This is the only speech act that has a direct 
effect on the states other than a change of the mental attitudes of the agents!). 
If agent i has no authority to declare the fact, then the only result of the speech 
act is that i establishes a preference for itself. It prefers the fact to be true. 

Although we do not attempt to give a (complete) axiomatization, we want 
to mention the following axioms for the declaratives, because they are very fun- 
damental for creating relationships between agents. 

[DECL{i, auth{j, DIR{authority, j, i, a{i))))]auth{j , DIR{authority, j, i, a(z))) 
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which states that an agent i can create authorisations for an agent j concerning 
actions that i has to perform. 

The following axiom is important for the acceptance of offers: 

which states that an agent can always give permission to another agent to per- 
form some action. 

Note that it may very well be that another agent forbids j to perform a\ The 
permission is only with respect to i\ 



3 Formal Communication 

In the previous section we gave a brief overview of the basic messages that 
agents can use in our framework. To show the power of our framework and to 
show the relation with other work on communication between agents we show 
how the basic illocutions that are used for the negotiating agents in the ADEPT 
system (and that also form the heart of many other negotiation systems) can be 
modelled within our framework. We only show this for the negotiation because 
it forms an important part of the communication between agents. In a later 
paper we will show how the communication in the stages after the negotiation 
(the performance and satisfaction stages) can also be formally modelled in our 
framework. 

The negotiating agents in the ADEPT system use the four illocutions: PRO- 
POSE, COUNTERPROPOSE, ACCEPT and REJECT. These four illocutions 
also form the basic elements of many other negotiation systems. 

The PROPOSE is directly translated into a COMMIT. The obligation that 
follows from a proposal depends on the acceptance of the receiving party. How- 
ever, the ACCEPT that is used as primitive in ADEPT and most other systems 
involves more than the giving of permission that we already indicated above. 

The ACCEPT message has three components. That is, we consider the AC- 
CEPT to be the simultaneous expression of three illocutions. 

1. Giving permission to perform the action 

2. Commitment to perform those actions that are necessary to make the pro- 
posal succeed 

3. Giving (implicit) authority for subsequent actions (linked to the proposal by 
convention) 

For example if agent i sends the following message to j: 

PROPOSE,i,j, 

I will deliver 20 computers (pentium, 32M, etc.) to you for $1000,- per 
computer 



then the ACCEPT message of j to v. 
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ACCEPT ,j,i, 

You will deliver 20 computers (pentium, 32M, etc.) to me for $1000,- per 
computer 

means: 

1. You are permitted to deliver the computers: D EC L{j, Pij {deliver)) 

2. I will receive the computers (sign a receipt): CO M M IT {j,i, receive) 

3. I give you authority to ask for payment after delivery: 

DECL{j, [deliver]auth{i, D I R{authority , i,j,pay))) 

It is important to notice that only the first component of the meaning of the 
ACCEPT message is fixed. The other two components depend on the action 
involved and the conventions (contracts) under which the transaction is negoti- 
ated. 

The REJECT message is the denegation of the ACCEPT message. It means 
that the agent is either not giving permission for the action, not committing 
itself to its part of the action or not willing to give authority to subsequent 
actions. Formally this is expressed as the disjunction of the negation of these 
three parts. Due to space limitations we will not work this out any further. 

The COUNTERPROPOSE is a composition of a REJECT and PROPOSE 
message. Formally it can thus be expressed as the parallel execution of these two 
primitives. 

Besides the formal representation of the illocution of the message we can 
also give some preconditions on the basic message types. Only the PROPOSE 
message type does not have preconditions. This is as expected because the PRO- 
POSE is used to start the negotiation. The other types of messages are all used 
as answer to a PROPOSE (or COUNTERPROPOSE) message. We can for- 
mally describe the precondition that these message types can only be used after 
a PROPOSE or COUNTERPROPOSE as follows: 

- OPP{ACCEPT{j,i,a)) ^ 

{PREV{PROPOSE{i,j,a)) V PREV{COUNTERPROPOSE{i,j, a))) 

- OPP{REJECT{j,i,a)) ^ 

{PREV{PROPOSE{i,j, a)) V PREV{COUNTERPROPOSE{i,j, a))) 

- OPP{COUNTERPROPOSE{j,i,fd)) ^ 

(3^ ah {PREV{PROPOSE{i,j, a)) V 
PREV{COUNTERPROPOSE{i,j, a))) 

In the precondition of the COUNTERPROPOSE we included the fact that a 
counterproposal should differ from the proposal that it counters. (Although not 
mentioned in this paper, the semantics of actions does give an equivalence rela- 
tion between actions). More elaborate conversation rules are needed to describe 
long term dependencies within protocols. E.g. one cannot repeat the same pro- 
posal later on if it already has been rejected. These rules should be incorporated 
within the protocols that the agents are using. 

We do not want to give the formalisation of complete protocols at this place 
due to space limitations. However, we can indicate quite easily the results of the 




114 F. Dignum 



most common pairs of messages where agent i first proposes something to agent 
2 after which agent j can accept it, reject it or counterpropose it. These moves 
are formally described as follows: 

— [PROPOSE(i,j,a)(i)][ACCEPT{j,i,a){j)]Oij{a(i)) A Pji{a(i)) (accept) 

Furthermore, if the success of a{i) depends on the performance of P{j) by j: 

[PROPOSE{i,j,a){{)][ACCEPT{j,i,a){j)]0,,{PU)) 

And if conventions determine that i can perform f3{i) after acceptance of the 

proposal then: 

[PROPOSE(i,j, a)(t)] [ACCEPT{j, i, a){j)][a{i)]auth{i, P(i)) 

— [PROPOSE(i,j,a)(i)][REJECT{j,i,o:){j)]^Oij{a{i)) (reject) 

— [PROPOSE{i,j, a)(i)j [COUNTERPROPOSE{j, i, /3)(j)]-Oy (a(z)) 

(counter) 

Note that the counterproposal has no effect of itself yet. Only the reject com- 
ponent of the counterproposal has immediate effect. The proposal component of 
the counterproposal only takes effect after an appropriate answer of i. 

For the reject we only indicated that the obligation does not arise. The rest of 
the effect depends on the context and is usually not of prime interest. 

The formalisation of the basic messages in the ADEPT system shows two 
things. 

First, that our framework is powerful enough to formally describe the negotiation 
in the ADEPT system including the effects of the communication. 

Secondly, that seemingly simple message types, like ACCEPT, have complicated 
meanings that partly depend on the context in which they are used. 

4 Private and Global Views on Commnnication 

In the previous sections we gave a formal description of communication between 
agents. This description was given from a global viewpoint. That is, the commu- 
nication was seen as actions that change the complete system of agents from one 
state to another state. This is quite natural when considering material actions 
like database updates. If an agent changes a database, the system will be in a dif- 
ferent state where some values in the database are changed. No other agents are 
necessarily (directly) involved in this action. However, communicative actions 
(except for the declaratives) always require the participation of two agents: the 
speaker and the hearer. 

In this section we will give a private view on communication based on the 
global view defined in the previous sections. In a private view of the system we 
try to ascribe each action, that takes place in the system, to an agent that has 
control over that action. Also we try to make clear which part of the system 
can be ’’seen” by each of the agents. I.e. which formulas can be checked by the 
agents. 

To explain the private description of the communication between agents we 
will use only one type of message. All remarks hold mutatis mutandis for the 
other types of messages. 
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In a global view we have the following axiom for directives: 

auth{i, DIR{authority,i, j,a)) [DIR{authority,i,j,a)]Ojia 

I.e. after an authorized directive an obligation arises. 

In the private view the following features of communication can be better 

described: 

1. Communication consists of speaking and listening. 

2. Speaker and hearer might not share the same language. 

3. Not all pre-conditions and effects of communications can be (directly) 
checked by both speaker and hearer. 

Ad.l. The first and most important step that should be taken to privatize the 
view on this communication is to split up this action into a speaker and 
hearer part. Agent i can never perform the complete directive by itself. It 
can only send the message and hope that agent j receives the message. So, 
although agent i initiates the action it does not have complete control over 
it. It cannot assure that the action completes successfully. Because there is 
not a single entity that has control over the communicative actions we will 
split up the communicative actions into a send and receive action to get a 
private view on them. DIR{authority,i,j,a) = 

send{DIR{authority, i, j, a)){i)hreceive{D I R{authority , i,j, a))(j) 
The parallel decomposition of the directive should be read as a synchroniza- 
tion between the agents. In an actual implementation the actions might be 
serialized. 

Although in the global view we cannot assume that an obligation holds after 
the sending of (an authorized) directive by agent i, agent i can privately 
conclude this if we assume the following axiom: 

auth{i, D I R{authority , i,j, a)) ^ [send{D I R{authority , i,j, a))]iOjia 

This means that agent i assumes that agent j will always receive the messages 
that agent i sends. 

In the same way we have of course (and with more right probably) : 

auth{i, D I R{authority , i,j, a)) ^ [receive{DIR{authority, i, j, a))]jOjia 

That is, if agent j receives an authorized directive it will conclude that it 
now has an obligation towards i. 

Ad. 2. Because the communication is now split up into a send and receive part 
it is also possible to indicate whether the receiver can ’’understand” the mes- 
sage that was send. I.e. whether the receiving agent talks the same language 
in terms of formulas that it incorporates in its private language. It is possi- 
ble to incorporate some general translation rules in the system that indicate 
how terms can be translated from one agent’s language to another’s. In this 
paper we will assume that all agents use the same language in order not to 
complicate the formalisation to much. See [20] for an example how an agent 
system can be described in which agents can use different languages. 
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Ad. 3. The last part that plays a role in the privatization of communication is 
the checking of the pre-conditions and effects of communication. If agent 
j does not know that agent i is authorized to give him an order it might 
not accept the consequent obligation. Often agent j can also not check the 
authority directly. Therefore, we think that in each protocol it should be 
possible for j to question the authority of i if j cannot check this authority 
himself. This is conform the theory from Habermas about communication 
protocols [10] where this is classified as an attack on the validity claims. 
Agent j can attack the validity of the authority of i by directing agent i to 
make the authority available for inspection of agent j. We get the following 
possibilities: 

1. {auth{i, D I R{authority , i,j, a))A 
OPP{auth{i, DIR{authority,i, j,a))7{j)) ) ^ 

[DIR{authority, i, j, a)]Ojia 
I.e. if agent j has the opportunity to check the authority of agent i then 
the authoritative direction of i to j to perform a results in an obligation. 

2. {auth{i, D I R{authority , i,j, a))A 
-^OPP{auth{i,DIR{authority,i,j,a))7{j)) ) ^ 

[DIR{authority, i, j, a)] 

auth{j, DIR(auth.,j, i, Reveal{i, j, {auth{i, DIR{auth., i, j, a))))) 
If agent j does not have the opportunity to check the authority of i then 
the direction of i only results in the authority of j to direct i to reveal 
the status of his authority to j. We admit that this formula is not very 
readable, but it is of course very easy to find some suitable abbreviations 
for these standard formulas. 

The establishment of the truth of the authority of i does not have to be the 
end of the discussion, because, according to Habermas, agent j might now 
question the reason for this authority. For instance, it is based on law, on a 
previous agreement, on a contract, etc. We will not go further into this at 
this place. 

The above points indicate that the private view on communication between 
agents reveals new aspects of the communication that are not visible in the 
global view. Especially the difference in awareness about actions and facts by 
different agents leads to new communicative acts that did not seem necessary in 
the global view. 

5 A Sketch of a Formalisation 

In this section we precisely define the language that we use to formally represent 
the concepts described in the previous sections, and the models that are used to 
interpret this language. We will not go into too much detail with regard to the 
actual semantics, but try to provide the reader with an intuitive grasp for the 
formal details without actually mentioning them. 

The language that we use is a multi-modal, propositional language, based 
on three denumerable, pairwise disjoint sets: 7T, representing the propositional 




Social Interactions of Autonomous Agents 



117 



symbols, Ag representing agents, and At containing atomic action expressions. 
The language FORM is defined in four stages. Starting with a set of proposi- 
tional formulas (PFORM), we define the action- and meta-action expressions, 
after which FORM can be defined. 

The set Act of regular action expressions is built up from the set At of 
atomic (parameterised) action expressions (denoted by a...) using the operators 
; (sequential composition), -|- (nondeterministic composition), & (parallel com- 
position), and “ (action negation). The constant actions any and fail denote 
‘don’t care what happens’ and ‘failure’ respectively. 

Definition 1. Let a€ At then the set Act of action expressions is given by the 
following BNF: 

a :: — a|any|fail|ai -|- a 2 \aiSza 2 \a 

The set MAct of general action expressions contains the regular actions and 
all of the special meta-actions informally described in section 2. For simplicity, 
we restrict ourselves in this paper to closing the set MAct under sequential 
composition. 

Definition 2. Let a € Act, i,j G Ag and x G {peer, authority, power} then the 
set MAct of general action expressions is given by the following BNF: 

'ya :: —a\DEC{i,a)\COMMLT{i,j,a)\DIR{x,i,j,a)\jai]^a 2 

Not all actions can be defined at this level, because some actions like DECL 
contain formulas from FORM as parameters. These actions will be defined in 
the next stage. 

The complete language FORM is now defined to contain all the constructs 
informally described in the previous section. That is, there are operators repre- 
senting informational attitudes, motivational attitudes, aspects of actions, and 
the social traffic between agents. 

Definition 3. Let ip G PFORM , ya G Mact, a, ai,a 2 G Act, i,j, k G Ag and 
X G {peer, authority, power} then the language FORM of formulas is given by 
the following BNF: 

4>:: - A (p2\Ki4'\Bi4>\[ya]4>\['7o:]^ 

[DECL{i, ip)](j)\ [^^^(a;, i,j, [Reveal{i, j, [f:T{i)](p 
[DECL{i,^|;)]k4>\[ASS{x,i,j,f:)]k(j)\[Reveal{i,j,^p)]k4>\['^p^{i)]k4> 
[ya;-fP]0\['ja; jf3],0\PREV{a)\OPP{a)\N EXT{(P) 

Pref^{^\^)\fj <i (j)\i <s: j\LNT,_a\LMPi{ai\a 2 )\Oij{a)\auth{i,a) 

Note that the ASS, DECL, Reveal and test action are introduced in FORM 
at this stage. The postcondition <j) does not have any meaning except as a place- 
holder in these formulas. 

The models used to interpret FORM are based on Kripke-style possible 
worlds models. That is, the backbone of these models is given by a set E of 
states, and a valuation tt on propositional symbols relative to a state. Various 
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relations and functions on these states are used to interpret the various (modal) 
operators. These relations and functions can roughly be classified in four parts, 
dealing with the informational component, the action component, the motiva- 
tional component and the social component, respectively. We assume tt and // 
to denote the truth values ‘true’ and ‘false’, respectively. 

Definition 4. A model Mo for FORM from the set CMo is a structure 
{S, 7T, I, A, M, S) where 

1. E is a non-empty set of states and tt : x 7T — > {tt, //}. 

2. I = {Rk, Rb) with Rk : Ag x E) denoting the epistemic alternatives 

of agents and Rb : Ag x E ^ p(^) denoting the doxastic alternatives. 

3. A = {S f , M f , S fa, M fa, Ropp, Rprev, Rnexf) with Sf : Ag x Act x E ^ 
p{E) yielding the global interpretation of regular actions, Mf : AgxMActx 
{CMox E) {CMox E) yielding the global interpretation of meta- actions, 
Sfa : Ag x Ag x Act x E ^ wp{E) yielding the private interpretation of 
of regular actions, M fa : Ag x Ag x MAct x {CMo x E) ^ {CMo x E) 
yielding the private interpretation of meta-actions, Ropp : Ag x E ^ p{Act) 
denoting opportunities, Rprev : Ag x E ^ Act yielding the action that has 
been performed last and Rnext : Ag x E ^ Act yielding the action that will 
be performed next. 

4 . M = {Rp, Rep, <, Ri, Ria, Ro) with Rp : Ag x E ^ p(^) denoting implicit 
preferences. Rep : Ag x E ^ p{FORM) yielding explicit preferences, <C 
Ag X E ^ FORM x FORM which is a preference relation on preferences, 
Ri : Ag x E ^ p{Act) denoting intended actions, Ria : Ag x E ^ p{Act) x 
p{Act) denoting implementation relations between actions and Ro : Ag x 
Ag p{E X E) denoting obligations. 

5. S = {Auth, with Auth : Ag x p{MAcf) {tt, //} yielding authorisations 
and Ag x Ag {tt,ff} yielding hierarchical relations between agents. 

such that the following constraints are validated: 

1. Rk{i) is an equivalence relation for all i, and Rb{i,s) yf 0, Rb{i,s) C 
{s' I (s, s') G Rk{i)} and (s, s') G Rk{i) Rb{i,s) = Rb{i,s'), which 
ensures that knowledge validates an S5 axiomatisation and belief obeys a 
KD 45 axiomatisation, while agents indeed believe all things they know. 

2. Sf yields the global state-transition interpretation for regular actions. This 
function satisfies the usual constraints ensuring an adequate interpretation 
of composite actions in terms of their constituents. Sfa satisfies the same 
constraints as Sf but also should satisfy that Sfa{i,j,a,s) C Sf{j,a,s). 
I.e. the private interpretation of an action is more limited than the global 
one. The function Mf models the global model-transforming interpretation 
of meta-action. Because we do not allow the composition of meta-actions 
with other actions yet, we require for the moment that Mf = Mfa. Below 
we elaborate on the definition of M f for the meta-actions introduced in the 
previous section. 
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3. Rnext{i, s) G Ropp{i,s) C {a \ Sf{i,a,s) ^ 0}, which ensures that oppor- 
tunities are a subset of the actions that are possible by virtue of the circum- 
stances and that the next action performed is an opportunity. Furthermore, 
Rprev{i, s) = a iff a G Ropp{i,s') for some s' with s G Sf{i,a,s'), which 
relates previously executed actions to past opportunities. 

4 . Ri{i,s) C {a I Sf{i,a,s) 0} and for all s G E some s' G E exists with 
(s, s') G Ro. 

The complete semantics contains an algebraic semantics of action expresses, 
based on the action semantics of Meyer [18]. In this paper we will abstract from 
the algebraic interpretation of actions and instead interpret actions as functions 
on states of affairs. For the meta-actions the state-transition interpretation is not 
adequate, because meta-actions do not change states but they change relations 
between states. For instance, in the case of an assertion, the effect is to change 
the doxastic state of the receiving agent, and nothing else. To formalise this 
behaviour, we interpret meta-actions as model-transforming functions. In the 
case of an assertion, the resulting model will differ from the starting model in 
the doxastic accessibility relation of the receiving agent. 



Definition 5. The binary relation ^ between an element of FORM and a pair 
consisting of a model Mo in CMo and a state s in Mo is for propositional 
symbols, conjunctions and negations defined as usual. Epistemic formulas Ki<f) 
and doxastic formulas Bif are interpreted as necessity operators over Rk and 
Rb respectively. For the other formulas ^ is defined as follows: 



Mo, s 1= [a{i)\<f) 

Mo, s \= [a(t)]j(/) 

Mo, s \= Yia{i)]4> 

Mo, s \= [ 7 Qf(t)]j(/) 
Mo,s h PREV{a{i)) 
Mo,s h OPP{a{i)) 
Mo,s h NEXT{a{i)) 
Mo,s \= Prefi{4)\f}) 




Mo, s\= tf <i (j) 

Mo, s\= i j 
Mo, s h INRa 
Mo, s \= IMPi{ai,a 2 ) 
Mo,s\= Oij{(j)) 

Mo, s \= Oij (a) 

Mos, 1= auth{i, a) 




Mo, s' \= (f) for all s' G Sf{i, a, s) 

Mo, s' \= 4> for all s' G Sfa{j, i, a, s) 

Mo' , s' \= 4> for all Mo' , s' G M f{i, a. Mo, s) 

Mo' , s' \= (f> for all Mo' , s' G Mfa{j, i, a. Mo, s) 
a G Rprev{i, s) 
a G Ropp{i, s) 
a(i) G Rnext{i, s) 

If Mo, s \= f then 

Mo, s' \= 4> for all s' G Rp{i, s) and (f> G Rep{i, s) 
G< (z,s) 

i -< j 

a G Ri{i, s) 

(oi, 02 ) G Ria{i, s) 

Mo, s' \= 4> for all s' with (s, s') G Ro{i,j) 

Mo,s [= [any {i)]Oij{P REV {a{i))) 

Auth{i, a, s) = tt 



The functions interpreting the special meta-actions (?, Reveal, DEC, COM- 
MIT, DIR, DECT and ASS) can be described in terms of the preconditions and 
the postconditions for execution of the actions. Due to space limitations we leave 
them out here. See [9] for more details. 
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6 Conclusions 

In this paper we have shown that it is possible to formally describe commu- 
nicating agents. The emphasis in this paper was on the formal description of 
the communication between agents. A very important aspect of this formalism 
is that it is possible to (formally) describe the effects of the communication. 
Therefore it is possible to check what is the resulting situation after a commu- 
nication protocol has been followed. We can analyze a protocol and find out 
what are reasonable moves at any point in the protocol. We have shown how 
the message types of the ADEPT system can be described in our primitives. 
This revealed that a seemingly simple primitive like ACCEPT contains a lot of 
hidden meanings. 

We have also shown in this paper that there exists an important difference 
between a private and global view on actions and in particular communications. 
The private view opens up new communication moves in the negotiation because 
the agents involved have different information! 

The difference becomes of prime importance when we want to implement agents 
that have to follow the rules of our logical formalism. By using a private view 
of actions it becomes clear which agent has control over each action. This is 
important because in the implemented system each action has to be initiated by 
some agent. 

The private view on actions also makes it possible to introduce unforeseen ac- 
tions, which seems more realistic in a multi-agent system which usually has an 
open character. I.e. not all the actions of all agents can be checked all the time. 

Two remarks should be made about the logical formalism. First, it is not our 
aim to build an automated theorem prover that can prove theorems in this very 
rich logic. The use of a logical formalism gives the opportunity to automatically 
generate the logical effects of a sequence of steps in a protocol. These could be 
subsequently implemented in a more efficient formalism. The logical description, 
however, can be used as a very general and precise specification of that imple- 
mentation. 

Secondly, the use of logic forces a very precise formal description of the com- 
munication. The use of logic led to the discovery that the primitive ACCEPT 
message has actually several components, some of which depend on the context 
within which the ACCEPT is used. It is very important that this is realized when 
the communication protocols are automatized. (As is the aim in communication 
between agents.) 

We admit that the logical formulas get very complicated and are not very read- 
able. However, it is easy to define suitable abbreviations for standard formulas. 
At least, working this way, it is clear what these abbreviations mean exactly! 
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Abstract. Actors has been regarded as a promising model for open distributed sys- 
tems. Although the operational semantics of actor programs has already been studied 
in some recent work, means of reasoning about the behaviour of communities of inter- 
connected actors at a high abstraction level are still lacking. In this paper we argue 
that a proof-theoretic semantics would be better suited to this purpose. We present an 
abstract data type like axiomatisation of the kernel primitives of Actors, showing how 
to reason from specihcations of actor communities and how to compose them within 
the framework of temporal logics of objects. 
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1 Introduction 

Actors has been regarded as a promising model for open distributed systems. An 
actor is a computational agent with mutable encapsulated state that changes by 
processing messages in a side-effect free manner. Message passing between actors 
is buffered, point-to-point, asynchronous and relies on a local naming scheme. 
As a result of processing messages, new concurrent actors can be created and 
actor names can be communicated. With all these characteristics, actors support 
desirable run-time capabilities such as conhgurability and extensibility. In addi- 
tion, the Actors model integrates the functional and object-oriented approaches 
to software development, enforcing design principles as modularity and incre- 
mentability. 

Due to these peculiarities, it seems natural to search for a semantic founda- 
tion that could permit the rigorous step-by-step development of actor systems. 
Since the work described in [1], we know how to execute actor programs correctly. 
In [2] and [19], the operational semantics of individual actors and of communities 
of interacting actors is further studied formally. Yet the authors recognise that it 
would be necessary to characterise properties of interest to specihers and users 
of systems organised as actor communities and also that it would be nice to have 
logical means of reasoning about such objects. This is the motivating factor for 
the present paper. 

We believe that a sufhciently abstract semantic foundation for the specih- 
cation, composition and verihcation of actors should encode in the axioms and 
inference rules of a deductive system the meaning of the Actor primitives. Ul- 
timately, designers and programmers need to deal in a rigorous and systematic 

J.-J. Ch. Meyer, P.-Y. Schobbens (Eds.): Formal Methods of Agents, LNAI 1760, pp. 123-142, 1999. 
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manner with the syntactic representation of such primitives as parts of specihca- 
tions and programs. Our view can be captured in a development process where 
such software artifacts are represented as theory presentations of some logic and 
are interconnected by means of translations between their languages [15]. Tech- 
niques for constructing similar formalisms have been popularised by Institutions 
[11] in studying the theory of abstract data types (ADTs) using some sort of 
equational logic. However, we have to point out that, when concurrency comes to 
place, and particularly because in the Actors model there are some fairness as- 
sumptions, the use of a temporal logic for specihcation and verihcation is almost 
unavoidable. 

This leaves us very close to the view put forward in [10]. Hence, we organ- 
ise actor specihcations using signatures and presentations of temporal theories. 
We axiomatise the primitives for sending and receiving asynchronous messages 
and for creating new objects, deriving inference rules to support modular rea- 
soning about concurrent behaviour in terms of safety and liveness properties. 
Having developed such a formalism, we see our main contribution as a logic that 
establishes a Rrm proof-theoretic basis for actor specification, composition and 
verification, which follows to some extent previous work of the ADT school. 

We proceed by discussing some of the issues in designing a proof-theory 
for Actors. Subsequently, we introduce our approach to the specification and 
verification of actor systems, illustrating the involved technicalities by means of 
an example. Our conclusions, a comparison with related work and a description 
of our future research are presented in the final section. 

2 Issues in the Design of a Proof-Theory for Actors 

One question naturally arises in working out a proof-theory for Actors: Can we 
apply directly some existing logic to provide the desired semantics? To the best 
of our knowledge, the answer is negative, because no such a logic captures all the 
required ingredients and provides the proper level of abstraction. Other logics 
for concurrent object-based systems development are described in [3, 13, 17, 20]. 
In the concluding section, we shall compare them with our work. 

Because the constituent entities of the Actors model are formal and our 
approach to specification is logical, we need to determine the characteristics 
of a logic to make possible the rigorous representation of all these entities. To 
begin with, an actor deals with distinct sets of values in message exchange and 
computation. Values may be considered actors with unserialised behaviour [1], 
which are not history sensitive and have a fixed meaning in every computation. 
Here, however, in order to keep a clear distinction between values and actors, 
we represent the first family as objects of a sort in a many-sorted language, 
instead of using an unsorted language. In a way, sorts define types for values, 
which is indeed the usual representation of properties of fixed meaning objects 
in programming languages. Actors, in turn, have observable behaviour, state- 
independent identity and can be considered modules. Hence, they are specified 
using theory presentations as suggested in [10]. 
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Actors interact via buffered message passing. Since [18], temporal logic has 
been the preferred framework for studying buffered eommumeaiion. Even among 
such logics, there are many possibilities to choose. Due to the inhnite character 
of some data domains of messages, propositional logic cannot be used [8]. Be- 
cause the Actors model requires message delivery to be guaranteed and message 
consumption to be eventually performed, fairness requirements which demand 
specifying when these actions may occur as it is impossible to determine a prion 
how the environment will evolve, branching time logic has to be used [14]. 

To complete the picture, we need to address the naming and ereaiion schemes 
adopted by the Actors model. In producing a specihcation, we are in fact dehning 
a template for the behaviour of a population of similar actors so that each receives 
a mail address at creation time to serve as its name in communications. The usual 
way of representing this is to regard the specihcation as implicitly parameterised 
by a sort of names, extending the original specihcation [6]. In addition, to avoid 
conhicts between the creation of new actors and the satishability of Barcan 
formulae, which state that the quantihcation domain of variables do not vary, 
every actor needs to carry an existential attribute [9]. According to this approach, 
objects that have not been created do not play any role, paraphrasing [3]. 

Considering this rationale, actor specihcations should look like Figure 1. 
There is represented a buffer cell, which dynamically allocates other cells for 
the integers stored. Attribute symbols represent the actor state, while messages 
and local computations are represented by action symbols. The symbols E, X, 
^ and ir are temporal connectives to state that a property holds in some be- 
haviour, in the next local instant, only if preceded by the occurence of another 
property and that occurrences of two properties are causally connected. Axiom 
1.2, e.g., states that in any behaviour, if item happens, in the next instant the 
cell will hold a value equal to the v provided. Then, the cell will not be empty 
(empty = f) and will be the last element in the queue of integers (1st = t). We 
shall continue to explain this example in Section 3. 

3 Axiomatising the Actors Model 

3.1 Representing Actors 

A theory signature provides the language to be used in a specihcation. Signatures 
bring both the notion of scope and interface to the logic, by forcing every used 
symbol to be declared locally and by enabling the dehnition of translations 
between symbols in order to connect distinct specihcations. Theory signatures 
for actor specihcation are dehned as follows: 

Definition! (Actor Signatnre). An actor signature A is a triple of disjoint 
and finite families (S, A, F) where: 

— 27 = (S, i?) is an universe signature in the usual algebraic sense [7], i.e., 
S' is a set of sort symbols and i? is an S* x S-indexed family of operation 
symbols. We also require that addr G S; 
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Actor BufferCell 

data types addr, bool, int 

attributes cont : int, nxt : addr, empty, 1st : bool 
actions nil, item(\nt) : local + extrn birth; 
void, lifli(addr) : local comput; 
put(int), get(addr) : local + extrn message; 
repij(int) : extrn message 
axioms n, m : addr, n, v : int, b : bool 



nil empty = T A 1st = T (1-1) 

item(v) eont = v A empty = F A 1st = T (1-2) 

void A nxt = n A 1st = b ^ 'X.{nxt = n A empty = T A 1st = b) (1-3) 

link{n) A eont = v A empty = b ^ 'X.{eont = v A nxt = n A empty = b A 1st = f) (1.4) 
put(v) A 1st = T ^ X(3ra • new(item, n, v) A link(n)) (1-5) 

3n ■ new(item, n, v) V link(n) -e- put(v) A 1st = T (1-6) 

put(v) A 1st = F A nxt = m^send(put, m, v) 

get(n) A empty = F A eont = Mi^send(repij, n, u) (1-®) 

get(ra) A empty = F^void (1-9) 

get(n) A empty = T A 1st = F A nxt = mi^send(get, m, n) (1-19) 

nil V item(u) G(E(deliv(put, v)) A E(deliv(get, n))) (1-H) 

nil V item(u) XG(-i(void V link(n)) E(put(v)) A E(get(m))) (1-12) 

End 



Fig. 1. Specification of buffer cells 



— .4 is an S'* X S-indexed family of attribute symbols; 

— r = (Fe, Fi, Fc) is a triple of S* -indexed families of action symbols such that 
(FgU Fi)r\Fc is empty. F^ is a set of local computation symbols. The elements 
of Fg and Fj represent respectively events to be requested from the environ- 
ment and provided locally^. Each of these two sets contains distinguished 
sub-sets of message and birth computation symbols, e.g. Fj — Fi^^ and Fi^^. 

For e denoting the empty sequence, we write an e x s-indexed family of symbols 
as if s were its index. Also, given a set or a sequence X , we denote the sub-set of 
X symbols of sort (si , . . . , s„) x s as _ . In making reference to specific 

sets of signature symbols, we shall operate with subscripts (Fe^nh) to denote 
operations on sub-sets of F (Fg^ H Fj,^). 

In our previous example, addr, bool and int are the sorts that constitute, together 
with their implicitly defined constants and operations, the universe signature S. 
Clearly, the sort of mail addresses addr must be part of every signature. Other- 
wise, some specified actors would be useless without the ability of exchanging 
messages or creating new actors. Still in the example, we can see that cont, nxt, 

^ Since the mail addresses of actors requesting and providing the occurrence of an 
event can be determined at run time only and may denote the same object, Fg and 
Fi should not be disjoint in general. 
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empty and 1st are the attributes in A. In the Actors model peculiar terminology, 
such attributes are called acquaintances, which may be instantiated at creation 
time or in processing subsequently received messages. 

The structure of the set of action symbols differs from other similar logics 
[10, 17]. Each actor may provide some externally visible functionality and may 
request provision of functionality from other actors. An actor may also perform 
purely local computations. Because of these distinctions, the set of action sym- 
bols is divided into three sub-sets, Fg, Fj and Fg. The Rrst two are dismembered 
in sub-sets of actions to represent synchronous and asynchronous interactions, 
Fg^ and Fg-g^ for instance. In general, actors interact using asynchronous mes- 
sages, members of Fg-g^ like put in send(put, nxt, r>). In some particular cases, 
however, synchrony is also required. This is the mode of interaction when a newly 
created actor receives its name because the occurrence of birth action of Fg^ has 
just been requested^. For our example, all these families can be inferred from 
the statements in Figure 1. 

As it is usual in a proof-theoretic approach to specification (cf. [6, 9, 20]), we 
need to extend signatures with some logical symbols. The situation here resem- 
bles the use of hidden symbols in algebraic specifications [7]. There, the specifier 
wants to use the language of previously defined data types to specify a more 
complex one. Here, we want a simpler language to specify complex patterns of 
behaviour presented by every actor, defined in terms of a more complex lan- 
guage. This extended language will be used in providing a semantics for the 
actor primitives and that is why it should not be required from the specifier of 
each signature. 

Definition 2 (Extended Actor Signatnre). Given an actor signature A = 
(S, A, F), the triple XA = (XS, XA, XF) is said to be the extended signature 
of A, where: 

— (-S' 0 (bool), 12 0 {Tbooh Fbooh NOTbool^ bool }) 7 

— XA = {Ai, Ai, As, Ad), such that Ai = A', for each c G Fj,^ of sort (si, . . . , s„) 

there is an initg G ^ for each c G F(^g_g^'ju(i-ip) ofsort (si, . . . , s„) 

there is a sentg G ^ and for each c G of sort (si, . . . , s„) 

there is a delivdg G ^ 

- XF = (Fg, Font, ri, rin, rg, Frgv), where for each c £ Tg of sort (si, . . . , s„) 

there is an outg G rout(M, addr si s ) ! each c G T; of sort (si , . . . , s„) there 

is an iug G si s ) for each c G of sort (si, . . . , s„) there 

is a icVg G , ) such that T[inuotit)nrct) = { } 3’Hd that iug = outg 

whenever c G Fgni- 

That is to say, the original universal signature is extended with the sort of 
booleans, new attributes are provided to deal with the existence of actors and 
buffering of messages, and new actions are introduced to handle creation and 
interaction. Hereafter, we will not make any distinction between extended sig- 
natures and actor signatures. 

^ For simplicity, we assume that there are only two modes of interaction between 
objects, synchronous and asynchronous, and that creation follows the hrst one. 
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A central feature of actors is interaction. Here, it is simulated using the syn- 
chronous case by the actions outg and in^ happening simultaneously for c ^ Fg 
and d C A/, which belong to the actor communities (populations of actors with 
same specihcation) requesting and providing the event respectively. The occur- 
rence of these logical actions plays the role of the interaction steps in [19]. For an 
interaction between actors of the same community represented by action c, hence 
required and provided internally and member of Feni, the occurrence of the new 
actions above has already been synchronised since their symbols are equalised 
by the constraint irtg = outg in Dehnition 2. Otherwise, this synchronisation 
must be supported by the existence of a morphism identifying shared actions 
in the distinct signatures, as discussed in Section 3.4. Asynchrony is guaranteed 
by obliging rcvd to happen after outc\ind and before d itself. Finally, (double) 
buffering is captured by the attribute delivdd (sentg) becoming true for some 
values when they are delivered (sent) in a message. Of course, all these new sym- 
bols do not explicitly appear in specihcations but their behavioural constraints 
will have to be captured by our axiomatisation. Also according to the proposed 
extended signatures, ill formed messages are not allowed (as actions, messages 
always have a locally correct representation at the sender) and messages sent to 
actors which cannot provide the required functionality are never delivered. 

According to [3], in a given state of the system, it should only be possible 
to mention the objects which exist in that state. In our case, objects will have 
some initg attribute set to T for some sequence of values ty if the occurrence of 
an action inc(v'c), c ^ Fj^, created it. The structure of communities of similar 
actors is dehned below and provides a syntactic (although static) representation 
for the conhgurations of [2] and the fragments of [19]: 

Definitions (Actor Commnnity Signatnre). Given a signature A = (27, 
A, F), a community signature is obtained by parameterising A with sort P. 

That is, 27^ = (5 0 {P}, 12); is obtained from A by adding the parameter 

sort P to each of its attribute symbols; and F^ is obtained from F by adding 
the parameter sort P to each action symbol of Fg, Fj, Fg and Fggv The other 
symbols of A remain the same in A^ . 

It seems obvious that the parameter sort P of every community should be addr. 
Indeed, according to [19], actor semantics should be parameterised by sets of 
actor addresses. Due to our definition, a new parameter is added to each relevant 
signature symbol and its instances will represent an actor name. In this way, 
the basic operations on object references, equality test and dereferencing [3], are 
supported. However, signatures alone do not support a modular design discipline, 
obliging the entire structure of complex systems to be represented by single 
entities. The required means of composition shall be provided in Section 3.4. 

3.2 Specifying and Interpreting Actor Behavionrs 

Actor specifications stand for the behaviour definitions of [1]. To define them, 
we assume that an infinite family of variables and its classification E according 
to a set of sorts are given. 
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Terms stand for meaningful values. In their definition, a signature A and a 
classification E indexed by the set of sorts are used. These are assumed to be 
given in the sequel. 

Definition4 (Terms). The S'-indexed set of terms T^(E) is dehned as follows, 
assuming q e Sg U Qs ^ As , p e ^ A{s^,___,s^),s and U G Ta{S)sP 

t , — q \ p(ti , ,tn) I f -, • • • An) 

That is, terms consist in variables, nulary function and attribute symbols, or 
function and attribute symbols applied to terms. We usually write a sequence of 
similar terms ti, . . . ,t„ as t. 

As explained previously, to give an account of actor behaviour in terms of 
formulae, Rrst-order branching time temporal logic is required. In what follows, 
we take formulae as defined in CTL* [8] and introduce the necessary extensions: 

Definitions (Formnlae). The set F^(E) of formulae is defined by the mutual 
recursion below, assuming c G _ ti G T^(E)s^, y ^ Eg and gi G F^(E): 

g := beg | c(ti, . . .t„) | ti =g t’z \ E^f' \ gi ^ g 2 \ ~^gi \^y ■ 9i 

9' '■= 9 \ ^9'i I 9'i'^92 I 9'i 92 I I 3t/ • 9'i 

Formulae stand for the initial instant; action occurrences; term equality; a for- 
mula holding in some possible behaviour, in the next instant or until another 
formula holds; or formulae aggregation using first-order logic connectives. 

A formal definition of actor specifications, exemplified here by BufferCell, 
is as follows: 

Definition 6 (Actor Specification). An actor specification is a pair = {A, 
F) where A is an actor signature and is a finite set of formulae over A (the 
specification axioms). 

Formulae containing other first-order logic connectives and inequalities stand for 
their usual translations. Free variables in axioms are considered to be universally 
quantified. Moreover, we write a parameterised formula 3 (n, ti^) as n.g(Fg). The 
connectives defined below are also admissible in specifications: 



For 


IN 


FORMULA 


READS 


REPRESENTS 


— 


— 


init 


initialisation 


Y 3Fc ■ c(Fc) 


n^ , Vc 


Ta{E) 


ni .new(c, W2 , Fr) 


actor creation 


outc(ni, W2 , Fc), c G Fcg 
iric(rai, W2, Fc), c G 


ni , Vc 


Ta{E) 


ni .send(c, W2, Fr) 


message dispatch 


outc(ni,n 2 , Fc), c G Fc-cg 
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The unary temporal connectives above are defined to be non-strict (they include 
the present). Conversely, the precedence connectives are strict and forbid the 
simultaneous occurrence of some properties. In specihcations, where usually p = 
init, their subscripts are omitted. In particular, is used to establish causality 
relations; for instance that an occurrence of a get causes the subsequent dispatch 
of a reply which cannot happen otherwise. The primitives are the usual in the 
Actors model [1]^. 

There is just another Actor primitive not treated by our syntax: become, 
which dehnes that an actor will behave according to a distinct specihcation in 
its subsequent computation. In fact, local computations in like void of our 
example together with a selective use of attributes simulate this in an awkward 
manner. It would be easy to present become as another dehnition, by intro- 
ducing death actions in signatures (cf. [9]) and by considering the primitive as 
the death of an actor and its subsequent resurrection with a distinct behaviour, 
keeping the same mail address in this process. However, we have reasons to 
avoid treating this here: in the Rrst place, in order to simplify our presentation, 
and secondly because it would bring methodological complications for reasoning. 
These complications shall be addressed in the last section. 

Concerning the formal meaning of signature symbols, we assume that sorts 
are interpreted as constant sets, while variables and operations on sorts denote 
constant functions. Attributes differ from operations in that they may have a 
distinct meaning at each instant (i.e. they are non-rigid). Actions, in turn, may 
happen concurrently if this is allowed by specification axioms. Indeed, action 
symbols are a syntactic representation of the events of [12], which may proceed 
concurrently if unrelated. Specifications are only satisfied by branching infinite 
sequences of states representing an actor community behaviour. As a result of all 
these assumptions, it is easy to see that we are adopting a model of parallelism 
where actions have a fixed granularity. Since our approach here is proof-theoretic, 
the reader is referred to [8, 10] for some semantic considerations. 

3.3 Axiomatising Actor Behaviours 

In this section, we develop a deductive system ACT for Actors consisting of a 
set of axiom schemes and inference rules. We assume the existence of a deductive 
system BTLO for the many-sorted, Rrst-order, branching time temporal logic 
of objects used here (see [9, 17] for axiomatisations of particular linear time 
versions) and concentrate on the peculiarities of our work. 

We shall develop axiom schemes for a consequence relation wherein a 
specification is used as an index to remind us that it depends of the structure of 
a signature to support localised reasoning. We will assume that a specification 
<F = ((A, A, T), F) is given. Also, we will drop from the schemes sorts in 
quantifications to simplify our presentation, using the variable n for actor names 
decorated with indexes when necessary. The following notation shall be used to 
express the invariance of an attribute or a modification in its value, the fact that 

^ Notice that, since G [0, oo[, we allow actors to have “multiple constructors”. 
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an actor name has become known and that a property continuously holds unless 
that happens, and the fairness requirement over the occurrence of an action: 



For s as 


FORMULA 


REPRESENTS 


t 


Inv{s) 


yk ■ (x(t = k) ^t=k) 




Mod(s) 


A x(T(G.) = 


n 


Acq{s) 


V 3vd ■ (deliv(d, Vd) /\n e Vd) V 

‘^6Fi-i, 

Y 3fd • (d(fd) An e v~d)y V • new(d, n, v~d) 

d-er,,, d6F^,ui, 


{n,g) 


Wait{s) 


(ff)W(init) A {g)W {Acq{n j) 


c{vc) 


Fair{s) 


F (c(G) V G ( Mfd • -E(d(?fd)) j j 



In logics of objects, the so-called locality property is regarded as a crucial 
assumption to support modular reasoning [10, 17]. It is also a key feature of the 
Actors model [12]. Generally speaking, locality requires that either an action of 
the object occurs or its attribute values remain invariant. This means that each 
actor has encapsulated state — changes must be witnessed by the occurrence of 
its own actions. Locality is captured by the following schemes: 

L,f,. \J 3vc ■ n.c(vc) f\yvf ■ n.Inv(f(iTf)) 
cera feA, 

L|. /\VG-3rai ■ ni.new^c, n 2 , v'c) y n 2 .Inv(initc{v"c}) 
cer,^ 

L|. /\ VG • \/ 3n2,Vd ■ W2.new(d, wi , fd) V W2.send(c, wi , G) V wi .deliv(c, G) V 

deri^ 

ni.Inv{sentc{v'c)) 

LJ. /\'i Vc - \! ^n2 , Vd - n2 .new(d, wi, fdjVrai .deliv(c, G) Vwi .c(G) Vwi .Inv{delivdc{vc)) 

The Rrst scheme says that, either a local computation happens, or all the non- 
logical attributes remain invariant. In the BufferCell example, this captures 
the fact that either void or link occurs or else cont, nxt, empty and 1st do not 
change. According to the second scheme, or an actor is created with some name, 
or the possible existence of an object with such name is not disturbed. The other 
two schemes are to guarantee that buffering attributes vary only when the actor 
is created or message passing takes place. 

Permission schemes constrain the occurrence of actions: 

P^. VG • beg ^ G(-iwi .init) V rai.TFad(ra, -isend(c, W 2 , G)) 

P,j,. /\VG-beg ^ (-ira.deliv(c, G))W(ra.init) 

P,j,. f\'^Vc ■ beg ^ (-ira.c(G))W(ra.init) 

P,j,. /\ VG • beg ^ G(-iwi .init) V l\n\.Wait(n, -inew(c, W2 , G)) 

p|. [\ 3ni, Vc ■ wi.new(c, W2, G) ^ Vfd • n 2 .initd{vd) = F 
c,der,^ 

Pj,. /\beg ^ G( 3 wi, W2, Vc ■ E(wi.new(c, W2, G))) 

_ "6b, 

P,f,. /\VG • 3 wi • wi.new(c, W2, F'c)^begra2.c(G) 
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P<f,. /\ V?Tc-rai .new(c, W2, v'c) v'c', Vd-((n.3 / wi V Vc' / ?Tc) Ara3.new(c, W2, 

c.der,^ 

c 

n3.new(d, W2, ^d) 

P|. /\V?J^ • ra.deliv(c, ?J^) ^ n.sentc(v‘c) = T 

■ ™-deliv(c, ?J^) ^ rid • (rlc* / rJ^ A ra.deliv(c, rA*)) V ra.deliv(d, Ad) 

C,dG-T;_;^ 

c 

P^^. f\'^v"c ■ n.c(vc) n.delivdc{vc) = T 

P# • [\yvc ■ n.c{vc) ^ $Vc\vd ^ Vc f\n.c{vc'))\/ n.d{vd) 
c,d^r 
d 

The first four schemes say that dispatch, delivery and consumption of messages 
plus local computations and requests for creation do not happen before the birth 
of each actor. Notice that the Rrst and forth schemes are more liberal if the actor 
is never created within a certain community but are more restrictive otherwise 
by requiring actor names to become known due to the delivery of a message, 
the birth of the source or the creation of the target before they could be used 
in the task. This is to prevent using arbitrary names and modes of interaction 
distinct from point-to-point message passing such as broadcasting [12, 19]. The 
other schemes say: a new actor can only be created if this has not happened 
before (5); it is always possible to create some new actors (6); the occurrence of 
birth actions is causally connected to requests for creation (7); two actors with 
the same name cannot be concurrently created (8); messages can be delivered 
only if they were previously sent (9); only one message can be delivered to 
each actor at any instant (10); messages can be consumed only if they were 
previously delivered (11); consumption of messages and local computations are 
totally ordered (12), meaning that two such actions cannot occur in parallel. 

Many logical attributes are introduced in the extension of actor signatures. 
The variation of their values as the actor community evolves is defined as follows: 

Vi A VAl • 3 wi • wi.new(c, W2, Al) ^ n2.Mod{initc{vc) = t) 
cer,^ 

v|. A VAl, Ad • 3 wi • wi .new(c, W2, Al) ^ n2 -M od{sentd{v‘d) = F A delivdd{v‘d) = f) 

cer,^ 

v|. A VAl • 3 wi • wi.send(c, W2, Al) ^ n2.Mod{sentc{vc) = t) 

V|. /\yv‘c ■ ra.deliv(c, Al) ^ n.M od[sentc{v‘c) = F A delivdc{v‘c) = t) 

V|. /\^Vc ■ ra.c(Al) ^ n.M od(delivdc{vc) = f) 

That is, if the creation of an actor has been requested, there will exist a new 
actor in the next instant with empty message buffers (1,2); if a message is sent, 
it will be buffered for output (3); if a delivery happens, the message will be 
removed from the output buffer and transfered to the input buffer (4); and if a 
message is processed, it will be removed from the input buffer (5). Notice that 
the delay in buffering messages, in the next instant only, rules out the existence 
of Zeno actors, which could reply infinitely fast. 
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It is important to mention that, even though the two sets of axiom schemes 
above severely constrain the behaviour of actor communities, such constraints 
are almost always necessary. For instance, we require the continuous ability to 
create new actors using in order to prevent that the address space used by 
some community could become completely used. However, we do not constrain 
the initial value of n.initc(iJl) for every n and this permits the existence of actors 

in the initial instant. What would happen otherwise is that no actor could exist 

— 7 

according to since any birth could not be requested Rrst. On the other hand, 

— 12 

the permission scheme P^ above is not necessary and is provided here just to 
facilitate specification and reasoning. We can allow actors to have full internal 
concurrency instead, as soon as we guarantee that attribute consistency (in the 
sense of [16]) is preserved using additional axioms [5]. Notice that actors can 
always present some internal concurrency anyway: they can create many other 
actors and send several messages at the same time. 

Finally, fairness schemes are required to guarantee a correct collective actor 
behaviour. Without fairness, it could be the case that messages fail to be deliv- 
ered, because the receiver always postpones the delivery or due to transmission 
failures, and that received messages are never consumed. 

F^. f\ 'iv‘c ■ n.delivdc(v'c) = T A E(ra.c(?V;)) ^ n.Fair[c[v‘c)) 

F|. !\ yvc ■ n.sentc(v'c) = T A E(ra.deliv(c, fi,)) ^ ra.Fair(deliv(c, ifc)) 

The first scheme says that, if the processing of a message is obliged, because 
the message was delivered and has been locally buffered, and it is also permitted 
(enabled), the message will be processed or the actor will become always disabled 
for processing — unable to consume any pending message. Muiaiis mutandis, 
this is what the second scheme says for message delivery. These schemes capture 
the assumptions of bounded buffering and reliable message passing respectively. 

A crucial simplification was made in our axiomatisation concerning message 
passing. We should have treated the fact that messages may be exchanged both 
concurrently or in sequence and thus some of them could be missed or duplicated 
[8]. In Actors, the usual treatment of this problem is to attach tags to messages so 
that they become distinct from each other [1]. To avoid obliging the specifier to 
deal with such details, logical means could have been provided, much in the way 
that buffering is treated through auxiliary attributes. Although omitted here, 
this additional treatment is indeed necessary, say, to determine the effects of 
messages simultaneously sent to the same actor, which would have been equalised 
otherwise since this situation is not covered by axiom V|. 

All the properties above have already been stated in the literature — many 
appear in [12], for instance — although they remained without an axiomatisa- 
tion. Hereafter, we call the set of logical axioms of <P containing {L^ P^ 

as Ax^, while the set Ax^ contains only the axioms with barred 
labels, wherein logical attributes do not appear. 

The axiom schemes above allow us to derive more or less standard rules for 
reasoning about concurrent actor communities. In what follows, we use Hoare 
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triples {p} a {<;} to represent a Ap ^ Xg. Moreover, sequents like P \~^ q stand 
for the fact that formula q is derivable from the set of formulae P together with 
the (logical and non-logical) axioms of using the inference rules of the proof 
system. We drop the index from the sequent when it is clear from the context. 

PropositionT (Derived Rules of Inference). Given an actor specihcation 
= ((X, A, P), 'P), the following are inference rules for deriving properties of 
existing <Z>-actors, where each p, p' and q is an arbitrary formula over a single 
actor and n, n' and m are terms of sort addr: 

[EXIST] 1. p' ^ n' .new{d, m, Vd) 

2. p ^ qV V 3G • ra.new(c, m, G) 



p' - XG(p ^ q) 



[SAFE] 1. /\yPc ■ n.c(Pc) q 




[INV] 1. /\yvc • {q} n.c(vc) {q} 


cer,^ 

2. /\ VUc • {g} ra.c(G) {g} 

cer^ 




ceFc 




g ^ Gg 


Gg 





[RESP] 1. 


/\VUc • {p} n.c{Pc) {p V n. 


d{vd)} 




cer^ 




2. 


n.d[Pd) Fq 




d e Ei-I, I 


p FF{n.d{Pd)) 






ra.deliv(d, Pd) X(Fp ^ 


Fq) 



[COM] 1. VG • {p} ra.c(G) {p V ra.deliv(d, ?Jd)} 

cera 

2. ra.deliv(d, Pd) Fq 

3. p ^ FE(ra.deliv(d, Pd)) 

d e G-4 

ra'.send(d, n, Pd) X(Fp ^ Fg) 



Using our axiom schemes Ax$ and the axiomatisation of the temporal logic 
BTLO, it is not difhcult to derive the inference rules above, which are more 
convenient to use together with the axioms of Ax^ because the logical attributes 
have been eliminated. Rule EXIST is a direct consequence of {L|, P|, V^}. The 
SAFE and INV rules, which enable the deduction of properties that actors will 
always have and correspond to forms of actor induction as described in [12], 
are consequences of axioms Li^ and The other rules are a consequence of 

{L|,P“’^^, V^’®,F|} and {L|, P|’^°, V|’^, F|} respectively. Although these 
last two rules are both for the derivation of properties in the general liveness 
family, which an actor will eventually present, they are distinguished to keep 
apart properties arising as a result of local and cooperative behaviour. 

The COM rule is to be used in proving properties that arise from the inter- 
action between two (potentially distinct) actors. The situation here differs from 
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that described in [4], where interaction is captured through action sharing in a 
more explicit and unconstrained manner. Therein, a very strong form of fairness 
is proposed, since in general a shared action may loose its permission to happen 
in some of the components while it has been obliged to take place. For designing 
actor systems, however, such a fairness strengthening is not required: a shared 
action must be locally provided by one actor only and cannot have its permission 
to occur externally constrained in this way. 

Let us illustrate the use of our proof system. From the BufferCell specih- 
cation, we can see that each cell is created and may be subsequently consumed 
or linked to another cell of the buffer. If a cell is empty and it is not the last ele- 
ment of the list, the cell will never perform any local computation again. Hence, 
the cell will forward every incoming message to the next buffer element (if any). 
Assuming familiarity with temporal logic, this is stated and verihed as: 



I~BUPPERCELL G(empty = t A 1st = F G(-i void A -iiini(n))) (1) 



1. void A empty = T ^ 'X.{empty = t) 

2. link(n) A empty = T ^ X.(empty = t) 

3. empty = T ^ G[empty = t) 

4. void X((^void)W(get(n) A empty = F A -ivofd)) 

5. (^void)'W (empty = f) ^ (G(empty = t) ^ G(-ivofd)) 

6. void XG(empty = t) 

7. void XG(empty = T ^ -'void) 

8. beg ^ (-1 void) W(init) 

9. init ^ (-’Void)W(get(n) A empty = F A -ivofd) 

10. beg ^ (^void)W (get(n) A empty = F A -ivofd) 

11. get(ra) A empty = F ^ -<void A X(empty = F A void) 

12. get(n) A empty = F A -<void G(empty = T ^ -'void) 

13. beg ^ G(empty = t ^ -'void) 

14. empty = T ^ -'void 

15. G(empty = t) ^ G(-ivofd) 

16. empty = T A 1st = F ^ G(-ivofd) 



from 1.3 
from 1.4 
1, 2 INV 

from 1.9, DBF ^ 

DBF W, bool Ax 
1,3,K X 
4, 5, 6, WBAK G 
from 

from 1.9, DBF ^ 

8, 9 TRANS W 
from 1.9, L\ 

7, 11, WBAK X, FIX G 
10, 12, DBF G, TRANS W 
13 beg £ 

UGI,k G 
3, 15, WBAK ^ 



using Modus Ponens and generalisation as the inference rules of the underlying 
logic. In a similar way, it is easy to prove h empty = t A 1st = F ^ G(Mink(n)). 
Therefore, conjoining these partial results and using the fact that Gp A Gg ^ 
G(p A g) and a G introduction, we conclude that the property above holds. 



3.4 Composing Actor Communities 

In Section 3.1 we discovered that, to give an account of what is usually consid- 
ered to be a component in Actors, we need at least to be able to put distinct 
signatures together to represent the structure of yet another component or an 
entire system. The view that complex components should be dehned in terms of 
smaller components connected together has been developed within the theory of 
Institutions [11], which requires the dehnition of basic entities to be regarded as 
connectable units. In our case, these will be actor community specihcations. 
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Next, it is necessary to provide means of connecting these entities to each 
other. Traditionally, in a logical approach to design, this is achieved by providing 
translations between the languages of the related theories [15]. If a symbol-to- 
symbol mapping (morphism) between two actor signatures is given, the existence 
of a translation between the respective languages can be guaranteed along with 
an interpretation between their theories. 

Definitions (Signatnre Morphisms). Given two actor signatures Zli = (i7i , 
■4i, Fi) and A2 = (S2, A2, T2), a signature morphism r : Ai A2 consists of: 

— a limit preserving morphism of algebraic structures Ty : Fi ^ IJ2 such 
that Tt,(addri) = addr2 and Tt,(booli) = bool2, and also that Ti,(ti) = T2, 

= F2 and r^,(NOTi) = NOT2; 

— for each / C ^ > s ; ^.n attribute symbol t„(/) : x . . . x ^ 

Tt,(s) in A2 such that C Ai^, r„(A'i) C Ai^, C As^ and 

Fa(^di) C Ad:,, where for each £ A(iusud)i, Ta{fc) = /r-,(c); 

— for each c C s ) > action symbol Tj(c) : Ty(si) x . . . x in 

T2 such that r.y(Tei) C Fy^, t^(FiJ C t^(FcJ C Fy^, T^(FrcvJ Q 

FtCV 2 , F7 {rout,) C Fouto and r.y(G„J C where r.y(Te,J C Fg^^^uh^ and 

'''j{rei-ei,,) Q -^(e2-ei,2)u(;2-42)) C Fj,^^ and Tj{Fj,-i,^^) C so 

that T^(Fe,nh) Q Fg^nh and also T^{Fout,nim) Q Foutonino- In addition, for 
each dg G T|^mUoutUrc'y)i 7 ^j{dg) — dg-^t^gy 

It is straightforward to define inductively the translation of symbols, classifica- 
tions, terms, formulae and sets thereof under r. 

Since renaming is one of the features of translations, morphisms capture the re- 
labelling operation described in [1], used to equalise identifiers in distinct compo- 
nents. In addition, the translation of symbols belonging to extended signatures 
only is determined by the translation of the original symbols provided. This 
means that the specifier, in defining a morphism to connect distinct signatures, 
does not need to be concerned with the new symbols introduced in their exten- 
sion. Furthermore, signature morphisms allow some external symbols (members 
of Fg) to become local as well. This stems from the fact that, in a complex config- 
uration, there may be events required from the environment of a sub-component 
which are not required by the whole component, because they are provided by 
another sub-component of the same configuration. 

Of course, we want to be always able to combine distinct signatures in such 
a way that the structure to support actor interaction is provided. This can be 
accomplished if we can show that, for every three generic signatures connected 
through morphisms so that one contains symbols to be shared by the others, 
there is a unique way of collapsing such objects into a new larger signature 
wherein the shared-to-be symbols are equalised. As a consequence, any such 
aggregations through morphisms will be possible. Using Category Theory, this 
is equivalent to show that the category of signatures has an initial object (the 
empty signature shared by disjoint components) and pushouts. A category with 
these characteristics is called co-complete: 
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Theorem 9 (Category of Actor Signatures). Actor signatures and 
morphisms constitute a finitely co-complete category where A± = (({addr, bool}, 
{T,F,NOT}), ({}, {}, {},{}), ({},{}, {},{},{}, {})) IS the initial object. 

Interpretations between theories induced by the signature morphisms above 
do not capture the expected combination of behavior as usual in Institutions 
[11]. This happens because such morphisms do not translate the logical axioms 
of source theories, which are needed to guarantee a correct collective behaviour. 
To support this, non-standard specihcation morphisms are used: 

Definition 10 (Specification Morphisms). Given two actor specifications 
= (Ai, ip'i) and <Z >2 = (^ 2 , ^^ 2 ), a specification morphism r : ^ <Z >2 is a sig- 

nature morphism such that r(^) for every G <P'i U . 

The inclusion of the translated logical axioms into <Z >2 is necessary as 

they represent properties which are not always a consequence of , since they 
rely on the existence of only the original signature symbols. Once the signature 
is augmented with new symbols using a morphism, these properties may fail to 
hold. The locality of non-logical symbols, say, is not preserved by the translation 
[10]. It is not difficult to see that some other schemes also fail to hold. 

Another category is determined by specification morphisms: 

Theorem 11 (Category of Actor Specifications). Actor specifications and 
morphisms constitute a finitely co-complete category. 

A comparison between our notion of composability and that of [2, 19] is in or- 
der here. Given a set of specifications with their pairwise shared sub-components 
fixed, pushouts of specification morphisms are commutative and have A±_ as their 
identity. In addition, all their possible compositions in any order are isomorphic 
among themselves, which yields associativity up to isomorphism (in the Gategory 
Theory sense). Apart from that, the composability notion therein is dynamic 
and fails to compose configurations having in common identical names of exist- 
ing actors. This is syntactically immaterial, though, since there is a canonical 
way of relating actor syntax and semantics, as hinted in [1] and followed here, 
by obliging the composed specifications to entail configurations with disjoint 
sets of existing actor addresses. Gonsequently, we have presented an alternative 
syntactic formalisation of the composability notion for Actors. 

3.5 Example Revisited and Extended 

Using the technique described in the previous section, we can now study commu- 
nities of heterogeneous actors. A good example is obtained by composing a buffer 
as described in Section 2 with a processor and a set of terminals, to represent a 
uniprocessor time-sharing architecture. The intended behaviour of this complex 
component, whose specification shall be called UTSA, is to allow commands 
typed by terminal users to be always eventually executed. The specification of 
terminal and processor actors for this purpose appears in Figure 2. 
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Actor Terminal 
data types addr,int 
attributes buf : addr 
actions 

rst(addr) : local + extrn birth; 
rd(int) : local comput; 
trx(addr) : extrn message 
axioms n : addr, v : int 

Tst(n) buf = n (2-1) 

rd(v) Abuf = n^send(trx,n,v) (2.2) 

End 



Actor Processor 
datatypes addr, int 
attributes inp,me : addr,dorae : int 
actions 

ini (addr, addr) : local + extrn birth; 
exc(int), nop : local comput; 
rcv(int) : local + extrn message; 
req(addr) : extrn message 
axioms n,p : addr, n, v : int 
ini(n,p) me = n A inp = p (3-1) 

{nop V exc(r)) A me = n ^ X(me = n) (3.2) 
(nop V exc(r)) A inp = p ^ 'X.{inp = p) (3.3) 
nop A done = v ^ 'X.{done = v) (3-4) 

nop ^ send(req, inp, me) (3-5) 

exc(r) ^ X.{done = v) (3-6) 

ini(n,p) G(rcv(v) V exc(v) ^ ~<nop) (3.7) 
rcv{v)^exc{v) (3-8) 

ini(n,p) GE(deliv(rcv, r)) (3-9) 

ini(n,p) XG(^exc(v) E(tcv(u))) (3.10) 
End 



Fig. 2. Simplified specification of terminals and processors 



Terminals become aware of the mail address of a cell to serve as their buffer 
at creation time (2.1). Afterwards, they always transmit typed commands to 
the buffer to wait for processing (2.2). Processors, in turn, have a more complex 
behaviour, since they have to request the next command from the buffer at each 
free processing cycle (3.5). Commands may always be delivered to the processor 
(3.9). Once received, they are subsequently executed (3.8). The computation 
cycle of the processor alternates among the occurrence of nop, rev and exc 
(3.7), which starts only when its behaviour is initialised using ini (3.1). 

Clearly, these actors cannot work as a single component unless the proper 
connections between them are provided. Morphisms must establish “physical” 
shared channels to enable message exchange, like in Figure (3.i). As expected, 
ComponentI, Component2 and UTSA, which result from the composition of 
the three specihed components, are dehned up to isomorphism, by the pushout 
of the respective sub-components. This means that any name for each of their 
symbols sufhees as long as the symbols to be shared and only them are equalised. 
They are dehned according to the two connectors and the morphisms in Figure 
(3.ii). The signature of CoNNECTORl contains one external message symbol only, 
called X, which is mapped to the trx action of terminals and to the put action 
of buffers. Connector2 has two actions, which are mapped to get and reply 
at the buffer side and to req and rev at the processor side respectively. These 
morphisms clearly satisfy the requirements of Dehnition 8. 
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{ii) Terminal ©BufferCell 

, Fl.l 1*1.2 

trx -< 1 X I ► put 

BufferCell© Processor 

1*2,1 1*2,2 
get -< 1 y I ► leq 

, 1 * 2,1 1 * 2,2 

reply -< 1 z I ► rev 



(Hi) 

rst 

nil 


Ki 0 n,i 


terminal 

buffer 


1 • 

0 T2,2 

1 


1 

**1 0 Tig 




ini 


1 ► 


processor 




0 T2,1 





Fig. 3. Static configuration of the system 



So far, we have described components consisting of individual actors. To 
describe communities of similar actors, though, morphisms can also be used. 
Each diamond in Figure (3.i) should actually have a cube structure, to allow 
several similar actors to exist concurrently. Considering that the sort symbols of 
each speciheation dehne a category whose morphisms are determined by their use 
as symbol parameters, as proposed in [9], each diamond vertex becomes source 
of a signature morphism which adds a new sort morphism to each parameter 
sorf^. For instance, the sort p, which is the parameter of item with projection 
Tta '■ P ^ int, should be mapped accordingly to p' and to tt'^, such that p' has 
another projection tTj : p' ^ addr to cater for the new parameter sort. Using this 
kind of structure, it is possible to state properties like 

3n ■ (A;.new( buffer, n) A (3m • b.new(processor, m, m, n)) A (2) 

3ti ■ b. new (terminal, li, ra) A . . . A 31; • b. new (terminal, ti, n)) 

provided that the translations for the birth actions in Figure (3.iii) are given. 
This kind of property should be guaranteed the environment (some other com- 
ponent connected to UTSA) to ensure the creation of a set of actors conhgured 

^ That is why we consider that morphisms of algebraic structures are limit preserving 
in Dehnition 8. Otherwise, the translation of signature symbols would not yield 
theory interpretations. 
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in the intended way. Therefore, the speciher is not only required to provide mor- 
phisms, allowing actors in different communities to interact, but also to assume 
that the environment provides some “logical” shared channels (names to bind 
the actors to each other) to be able to verify properties of actor components. 

The characteristic property of UTSA, that the processing of typed com- 
mands is always eventually completed, can be stated as follows: 

huTSA G(ti.rd(v) F(m.done = r>)) (3) 

This is an instance of the so-called Fair Merge Problem. In other words, the 
processing of sequences of commands from each user must be fair, which means 
that each of them must not have the completion of its execution indehnitely 
delayed. This kind of inacceptable behaviour would occur, for example, if the 
processor could ignore commands from specihc users. 

To verify (3), we use the fact that buffers are organised as Rnite queues 
of logically linked cells so that each cell either processes incoming messages or 
forwards them to be dealt with by its successors, because the cell has already 
been consumed or is not the last element of the queue, or else it ignores each 
message, because the entire buffer is empty. We also rely on assumption (2) 
which insures that user commands can only be consumed by the processor with 
mail address m. Some auxiliary definitions are required to state these properties: 



Rn{x, y) = y.nxt = x A y.lst = F 
P{v) = 3y ■ y.cont = v A y. empty = F 
Q{m, v) = 3y ■ y.cont = v A y .sen.d{ reply , m, v) 

Notice that determines a well-founded relation, whose bottom element is n 
and which can be formalised as follows, considering always that x and y range 
over all the address of buffer cells existing in the configuration: 



A —>R„(x, x) (4) 

A G((y .M od(nxt = x) A X(i?„(x, j/))) V y.Inv(nxt)) -e FG(y .Inv(nxt)) 

The anti-reflexivity of can be verified by first using rule EXIST together 
with (2) and axioms 1.5/6 to prove as an invariant that a cell cannot be linked 
to itself (n.l,st = t V n.nxt n). This implies that the anti-reflexivity of 
is preserved by the occurrence of link. The same can be easily proved for the 
other actions of BufferCell. By using rule SAFE, the anti-reflexivity proof 
is completed. The second half of (4) is a consequence of the proof in Section 3.3. 

The verification of (3) is then decomposed by k, p and r as follows: (i) 
prove hcoMPi t,.rd{v) -e FP{v) using R„ in the proof rule WELL [8, p. 1057], 
followed by COM and RESP letting p as in Definition 7 be the invariant above; 
(ii) prove Fproc m.send(req, ra, m) V -^m.nop as a consequence of 3.5; (iii) prove 
bcoMP 2 P{v) -e (m.send(req, ra, m) V ->nop -e FQ{m,v j) as in (i), and (iv) prove 
bcoMP 2 Q(m, v) -e F(m. florae = v) likewise. The formal proof appears elsewhere. 
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4 Concluding Remarks 

In this paper, we have presented an axiomatisation of the kernel primitives of 
Actors [1] using the framework of temporal logics of objects [9]. We showed not 
only how actor systems can be specihed and verihed but also how to compose 
specihcations and decompose proofs using Category Theory. Our main contribu- 
tion is therefore a logic (in the Institutions sense [11]) for the Actors model. This 
logic provides a syntactic and more elegant formalisation of interfacing and mod- 
ularisation structures previously proposed in [1, 2, 19]. In addition, as it is easy 
to capture in Actors control structures usually found in computing applications 
such as recursion, they become tractable using our logic. 

What makes our logic interesting is the integrated treatment of object cre- 
ation, asynchronous message passing, fairness and dynamic reconhgurability as 
they appear in Actors. Other logics for concurrent object-based systems devel- 
opment also exist. We could have extended as a basis for our work the linear 
time logic proposed in [17] for specifying objects based on action sharing inter- 
action. A proof system for object creation in POOL is described in [3] based 
on the CSP synchronous primitives. A logic resembling UNITY is proposed in 
[13] considering asynchrony and fairness. None of these logics provide built-in 
support to all the characteristics of the Actors model mentioned above. 

Having treated all these characteristics, we still have to address the axioma- 
tisation of become, which allows an actor to behave according to a distinct 
specihcation in its subsequent computation. As we have already pointed out, 
we could have treated this primitive herein. However, any simplistic treatment 
would make reasoning a lot more difhcult in general. To verify a safety property, 
for example, we would have to show that it does not depend on the mutations 
suffered by the actor. Since to maintain the balance between ease to specify and 
ease to verify is not straightforward, a methodological study of this primitive 
within our logic — perhaps following [20] — is required. 
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Abstract. We continue to study the problem of actions with typical, 
but not certain effects. In [3], [2] we showed how to incorporate this kind 
of actions into a dynamic/epistemic multi-agent system in which the 
knowledge, abilities and opportunities of agents are formalized together 
with the results of actions they perform. The novelty of the present ap- 
proach is that it allows a nondeterminism in action performance. More- 
over, compound actions are built both from traditionally viewed actions 
with certain effects and actions with typical effects. Adopting a model- 
theoretic approach we formalize a preferential strategy in order to reason 
about the results of the realizations of scenarios built over these actions. 



1 Introduction 

The formalization of multi-agent autonomous systems requires a rich repertoire 
of actions to capture a variety of agents’ behaviour. The agents may be viewed 
as systems which continously sense a dynamic environment they are embedded 
in, and which effect changes by performing actions or plans of actions (see [4]). 
These plans result in the planning process directed towards achieving some goals. 
However, independently of the method of planning, an agent’s goal is usually 
achievable in different ways reflected in a set of plans. Plans are usually defined 
in terms of actions with certain effects, that is as sequences of these actions. 

But there may be also another option. One may consider actions leading to 
some effects, being aware that these effects may be achieved in different ways, 
e.g. by distinguishing different types of action execution. Next, from the set of 
possible action performances some may be characterized as typical ones, leading 
to some extra - typical - effects. In other - atypical - cases there is no information 
about additional effects. Thus, a distinction between typical and atypical action 
performance results in different changes in the external world (see, for instance, 
[12], [13], [14]): a typical action execution leads not only to a certain effect (which 
always hold), but also leads to typical or default effects. 
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The application of actions with typical effects is justified in situations when 
either the way of achieving a goal is inessential from the agent’s point of view, or 
is hard to predict during planning, but possible to dynamically determine dur- 
ing a plan execution. Let us stress that this approach essentially simplifies the 
planning process: particular actions with typical effects assure the achievement 
of partial goals in the plan without coming into details. Thus, the use of these 
actions maintains a rather high level of abstraction — the way of action perfor- 
mance has been determined by an agent ”on line”, i.e. during plan execution, 
instead of the agent deciding about it in advance. So this kind of planning is 
very flexible: a single plan containing actions with typical effects reflects a set of 
plans built from analogical actions with certain effects. 

The important characteristics of these actions is their usefullness in reacting 
to unpredictable changes in the dynamic environment — they increase an agent’s 
reactivity. For example, a particular change in the external world may definitely 
block a performance of an action with certain effects. However, when treating 
this action as the one with default effects, its atypical performance may save the 
realization of the plan. 

In [3], [2] we model this new kind of actions by means of extending the 
epistemic/dynamic framework presented in [7], [8], [9]. This formal system is 
designed to deal with both the knowledge and the abilities of agents, and with 
the effects of actions they perform. Our extension provides the formalization of 
a deterministic version of actions with typical effects. However, the opposition 
of typical - atypical action performance turns out not to be subtle enough to 
fully characterize the variety of situations an agent may deal with. The novelty 
of the present approach is that it allows nondeterminism in the performance of 
an action. 

Analogously to [3], when considering actions in isolation we assume that an 
agent’s generic intention is to prefer a typical action performance. However, to 
adequately model plans of actions, the specific preferential strategy should be 
related to the characteristics (i.e. the type) of this plan. In this paper we focus 
on scenarios reflecting a “typical” pattern of agents’ behaviour, thus we model 
a nonmonotonic preferential strategy that can be viewed as a minimization of 
atypical performances of actions. Within our epistemic/dynamic framework we 
apply this strategy to reason about scenarios, i.e. to determine a set of desirable 
conclusions which can be derived from a given scenario. 

Our formal framework is designed from the perspective of a single agent, 
with special attention paid to different types of actions it can perform. Other 
aspects of multi-agent systems, including collective and social characteristics of 
agents’ behaviour, will be the subject of a future extension of our approach. 

The paper is structured in the following manner. In Section 2 and 3 we discuss 
notions of nondeterministic actions with typical effects and scenarios built over 
the traditionally viewed actions as well as those of the new type. In Section 4 we 
present a language defined to represent scenarios under consideration, whereas 
in Section 5 we provide its semantics. In Section 6 a notion of scenario realization 
is formalized. The paper is completed with concluding remarks and options for 
further research. 
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2 Nondeterministic Actions with Typical Effects 

When defining the result of an action we follow the idea of [17] to identify the 
state of affairs resulting from the action execution with its effect. We consider an 
event do, (a) referring to the performance of an action a by an agent i. Therefore 
the results of an event may be represented by a formula 

(dOi(o!)) 

stating that an agent i has the opportunity to perform an action a and that 
doing a leads to ip. 

An opportunity of an agent to perform a certain action reflects almost wholly 
external, objective circumstances. Apart from agent’s opportunities, we adopt a 
generic concept of agent’s abilities (cf. [7]), covering physical, mental and moral 
capacities. Viewing abilities as a separate concept enables us to remove them as 
a prerequisite of an action performance. In order to formalize agents abilities an 
operator A is introduced. An expression A,Q! reflects the fact that an agent i 
is capable to perform an action a. A combination of both (dOj(ci!)) p and A,Q! 
expresses the idea that a is a eorreet ((dOj(ci!)) <^) and feasible (AjO;) plan for 
agent i to achieve p. 

Now we are in a position to characterize a new kind of actions — actions 
with typical (default) effects which will be referred to as A-actions. The generic 
characteristics of A-actions is that they have different effects in typical and atyp- 
ical performances: different changes in an external world can be distinguished 
depending on the way the action is executed. 

The result of performing a A-action is represented by 

{dOi{a))p,'tl> 

denoting, analogously, that an agent i has the opportunity to perform a A-action 
a and as a result of this event p (always) holds and typieally tp holds. In other 
words, p may be viewed as a certain and ^ as a typical effect of a A-action a. 

Consider an example of the action Get_To_Airport. I can go there by taxi, 
by bus, or someone may drive me. Hiring a taxi is viewed as a typical execution 
of this action, but depending on circumstances I can decide differently. If I want 
to make up my mind at the last moment, according to my current abilities and 
possibilities (e.g. my friend with a car just visiting me), the use of actions with 
typical effects enables me to do so. The results of the example execution of this 
action may be represented by 

(dOj(Get_To_Airport)) ‘harri-in-airport’ , ‘hspend-money-on-taxi’ . 

Another example is the formalization of the action Appointment_with_Cris, 
usually resulting in attending a concert together: 

(dOj(Meet_Chris)) ‘hspend-time-with-Chris ‘hattend-eoneert’. 

In our approach we decided to specify only typical effects of action execution, 
abstracting from the actions’ atypical results. This modelling decision reflects the 
idea that atypical effects of the performance a A-action a may be unpredictable. 
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When having a full description of the external world and of possible effects of all 
actions, one can also try to specify what may happen as the result of atypical 
action performance. 

However, this characterization of the results of deterministic Zi-actions seems 
not to be subtle enough to describe the variety of situations an agent may face. 
The opposition typical - atypical action performance is not sufficiently context- 
sensitive when an agent has only one possibility of typical or atypical action ex- 
ecution (c.f. [3], [2]). So, we admit nondeterministic actions with typical effects. 
The nondeterminism is considered in the context of an agent’s opportunities, re- 
flecting mainly circumstantial conditions (its abilities do not depend on external 
circumstances) and may be considered in two respects. 

First, the external (objective) nondeterminism on the level of the choice be- 
tween typical and atypical action performance. Second, the internal (subjective) 
nondeterminism on the level of the choice between various possibilities of typical 
or atypical action performance. While the objective nondeterminism depends 
on the external circumstances, the internal one reflects an agent’s (subjective) 
rather than objective choices. 

While performing some Zi-action an agent i may proceed in a typical or 
atypical way but when considering an action in isolation, it usually prefers (one 
of) a typical execution of the action. Additionally, for zi-actions, analogously to 
actions with certain effects, the characterization of correctness is applied. 

3 A Scenario Realization 

In this paper we focus on a rational agent (see [18]) and its activity directed to 
achieve some goals as a result of a plan execution. The plan, reflecting a sequence 
of actions, is either prepared by an agent itself or is given to it. In order to 
formalize an agent’s plan we introduce the notion of a scenario. A scenario for 
an agent reflects a sequence of actions to be performed by this agent together 
with initial and final observations. An initial observation characterizes an initial 
state of affairs, including a generic precondition for execution of the scenario. A 
final observation must reflect the goals an agent wants to achieve. It may also 
characterize a final state of affairs. 

We introduce the following notation. Let ^pre,lpost be any formulas from the 
object language C. The sequence Sc = <a\, . . . , Q!„> of actions to be performed 
by an agent i, au & Ac (the set of actions). A: = 1, . . . ,n, with the precondition 
7pre and the postcondition ^post, is said to be a scenario for an agent i and 
denoted by SCD(i, {7pre}5'c{7po5f}) or simply SCD. 

In AI literature various types of scenarios have been studied (see [15], [3]). 
When considering a typical character of action performance, the situation be- 
comes more complicated. Moreover, allowing nondeterministic action in the sce- 
nario increases the number of possiblilities to achieve the goal. A notion of a 
scenario realization (for an agent i) reflects both the execution of each action 
occurring in the scenario and the agent achieving its final goals. While modelling 
the behaviour of a rational agent we want to reflect its preferred choices. When 
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an agent considers an action performance in isolation, it prefers (one of) typ- 
ical action execution, whereas from the perspective of a scenario realization it 
may admit (one of) atypical courses of action performance. However, an agent’s 
choice should always reflect a generic preferential strategy. 

In the paper we focus on a typical plans, where a sequence of actions is 
planned in advance, in order to achieve that agent’s goals become a part of 
the final observations after plan execution. We assume that effectiveness of an 
agent’s behaviour usually depends on how typical execution of each element of 
the plan is. Possible disturbances - atypical executions of some actions - may 
either preclude achieving the final goals (in the worst case) or may change the 
way to achieve them. For this reason the applied preferential strategy amounts 
to a minimization of atypical performances of actions. 

The realization of a given scenario based on an adequate preferential strategy, 
leads to certain conclusion states. As a final point of scenario realization we are 
in a position to determine the set of all statements that hold in all these states. 
We will refer to this set as the set of desirable eonelusions. 



4 The object language 

In this section we show how to extend the framework defined to formalize the 
behaviour of rational agents in a multi-agent system. This approach, defined in 
[7], [8] and [9], considers epistemic aspects like agents’ knowledge as well as the 
results of actions they perform, together with agents’ opportunities and abilities 
to perform particular actions. 

Definition 4.1 (Langnage C) 

The language C is based on the following three sets: 

— a denumerable set V of propositional symbols (fluents in AI terminology); 

— a finite set A of agents, denoted by numerals 1, 2, . . . , n; 

— a finite set At of atomie aetions, denoted by a or 6; this set includes a non- 
empty subset At A of atomic A-actions. 

The set of formulas (the language C) is the smallest set satisfying the follow- 
ing conditions: 

— pGjC, foreachpeP; 

— if ip, 4>G then -<(p G £ and cpW 4> G £; 

— iti&A and if&£, then € £', 

— if i£A and a € .4c, then A,q: € £', 

— if i£A, a&Ac and tp,ip££, then (do, (a)) p>^£, (do, (a)) ip,if££ 

The class Ac of actions is the smallest set such that 

— Ate Ac; 

— if oi , 02 G Ac, then oi ; 0:2 G Ac; 



(sequential composition) 
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— if e £ and cri , Q!2 G Ac, then if (p then ai else Q!2 fi G Ac; 

(conditional composition) 

— if (pe£ and aeAc, then while do a odG^c (repetitive composition) 

The constructs True, False, A, ^ and = are defined in the usual way. More- 
over, the following abbreviations are introduced: 
skip = empty action; = skip; = a*; a. 

Remark 4.1 Intuitively the formula Kiip states that an agent i knows about 
the fact represented by (p, whereas A,q: states that the agent i is able to perform 
an action a. Moreover, the formulae (do^(a:)):^ and (dOj(a:)) ^ are explained 

in section 2. □ 

Remark 4.2 The set of actions under consideration contains atomic actions 
with certain effects, atomic Zi-actions and compound actions built from any 
kind of actions. Sets of actions are related to agents. □ 

5 Semantics for the language 

In this section we define the semantics for the language C. This semantics is 
based on the notion of Kripke model. 

Definition 5.1 (Kripke model) 

A Kripke model is a tuple M = {S,val, R,r,t, c) such that 

1. 5 is a set of possible worlds, or states; 

2. val : PxS {0, 1} is a function that assigns truth values to fluents in states; 

3. R : A^ p{S X S) is the function that yields the accessibility relation for a 
given agent i, i.e. (si,S 2 ) G R{i) states that S 2 is an epistemic alternative 
for an agent i in a state s. Since we assume the modal system KT, R(i) is 
reflexive for all ie A; 

4. r : AxAt->-S—>-p(S) is such that r{i,a){s) yields the result of performing 
an action a by an agent i in a state s; 

5. t : Ax At ^ S ^ p{S) is such that t{i,a){s) yields the result of (typical) 
performing of an action a by an agent i in a state s; this function is such 
that 

• Vi G A Va G At A Vs G 5 t{i, a)(s) Cr(i, a)(s) 

• Vi G A Vs G 5 \/oGAt\ At A t(i, a)(s)=r(i, a)(s). 

6. c : AxAt^S {0, 1} is the capability function such that c(i, a){s) indicates 

that an agent i is able to perform the action a in a state s. □ 

Remark 5.1 It is worth noting that no demands on the interconnections be- 
tween functions r and c are imposed. This leads to the formalization of agent’s 
abilities and opportunities as separate concepts. 

The function t is introduced to formalize a typical performance of a A-action 
by an agent i. Since certain effects of an action may be viewed as typical ones 
(clearly, not vice versa), we assume a performance of an action with certain 
effects to be typical. □ 
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The functions r, t and c can be extended for the class Ac of all actions (not 
only atomic). That is, the extension of r, written r*, is defined by:^ 

r* : Ax Ac^ p(S) ^ p(S) 

r*{i,a){s) =r{i,a){s) for a £ At 

r*{i,ai',a2){s) = 

(r*(i,ai) M,s\=p> 

r*(T if (^then oi else a2){s) = < 

[ r *(t , Q !2 ) otherwise 



r*(t, while <^do Q!od)(s) 



For A£p{S) : r*{i,a){A) 
thus r*{i, Q!)(0) 



= {s' G 5 : 3fC C IN VA: G /C 3sq ,...,Si,.so=s& 
Sk=s' & [Vj < A:. Sj+i Gr*(t, Q!)(sj) & Af,Sj|=<^] 
& M, s' |=-i(^} 

= 0 



For atomic actions, sequential and repetitive compositions, r* is defined in 
the usual way. 

Obviously, for some states s an agent i has no opportunity to perform an 
action a, so it certainly does not have any opportunity to execute any compound 
action starting from a. Since for such states r*{i, a){s)=^, we put r*{i, a){%) = %. 

Defining r* for a repetitive composition (while do a od) we consider all 
possible sequences of states <so, . . . ,st> (of any length k) such that an agent 
i, starting in sq, performs a as long as p holds. A performance of a repetitive 
composition leads to any final state of such sequences. 

t* : Ax Ac p{S) p{S) is defined analogously. While defining t* we consider 
typical action performances only. Let us recall that certain effects are viewed as 
typical ones. Therefore, for any i£A, a&Ac and sG 5 we have 

t*{i, a){s) C r*{i, a){s). 

The extension c* is defined as follows 

c* : ^x^c^-5^-{0, 1} 

c*{i,a){s) = c{i,a){s) for a£At 

f 1 iff c*(i, Q!i)(s) = 1 & 

c*{i,ai-,a 2 ){s) = { 3s' G r*(i, 0 !i)(s). c*{i, a 2 ){s') = 1 

I 0 otherwise 



® Here the state sG 5 is identified with the singleton set {s}. 
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(1 iff c*(i, Q!i)(s) = 1 h M^s\=ip 
c*(i, if then Q!i else Q !2 fi)(s) = < or c (i, Q! 2 )(s) — 1 

[ 0 otherwise 

'1 iff 3/CClNVA:e/C3so, ■ ■ ■ ,5*- so = s & 

& Sk=s' & {'ij<k.c*{i,a){sj) = l & 

c*(i, while w do a od)(s) =< & At, Sj & Sj+i Gr (i, Q!)(sj) ] & 

kc*{i,a){s') = lk 

0 otherwise 

V 

and c*(i, Q!)(0) =0. □ 

Recall that an agent’s capabilities are not related to its opportunities, viewed 
as circumstantial possibilities. However, from the standpoint of commonsense 
reasoning, it makes little sense to consider what an agent’s capabilities are in 
unreachable states (i.e. states that it has no opportunity to reach from a given 
state s) . It seems intuitively justified to assume that in such states an agent has 
no capability to perform any action at all. Thus we put c*(i, Q!)(0) = 0. 

By Ad we denote the class of all Kripke models. 

Definition 5.2 (Defining |=) 

Let M = {S,val, R,r,t,c) be a Kripke model from Ad . For any propositional 
formula (p, At, s |=<^ is defined in the usual way. 

For other formulas it is defined as follows: 

At , s 1= (dOj(a:)) iff [\fs'£r*{i,a){s) M,s' \=(p] k 

[3s'Gr*(i, a){s) M, s' \=(p] 

M,s \= {do ^{a)) (p,tp iff [\fs'£r*{i,a){s) M,s' \=(p] k 

[\fs" £t*{i, a){s) M,s" \=^] & 

[3s"et*(i, q:)(s) M,s"\=ip] 

j\4,s\=Aia iff c*(i, q:)(s) = 1 

Af,s|=K,:^ iff Vs' [ (s, s') Gi?(i) => At , s' 1= □ 

A formula (p is said to be satisfiable in A4 in a state s iff At , s |= 

Remark 5.2 A formula (dOj(a:)) ip is satisfiable in At in a state s G 5 if in all 
states accessible from s (by performing an action a by an agent i) p> holds, and 
if at least one of such states exists. On the other hand, a formula (do.(a:)):^, ^ is 
satisfiable in At in a state s G 5 if in all states s' accessible from s (by performing 
the action a by an agent i) p> holds, and in all states s" accessible from s by 
a typical performance of a (i.e. from the set t*{i,a){s)) ^ is satisfied, and if at 
least one of such states exists. □ 
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6 Modelling scenario realization 

In this section we provide a formalization of reasoning about scenarios for a 
given agent. We aim to determine the set of desirable conclusions resulting from 
the scenario realization. 

Let us recall the postulates imposed on scenarios. 

51. The scenario contains a sequence of actions of various types built from atomic 
actions with certain or typical effects; 

52. Each Zi-action performed by an agent introduces different changes in the 
external world depending on whether the agent performs it typically or atyp- 
ically; 

53. The applied preferential strategy is based on the minimization of atypical 
performances of actions; 

54. The final goal after performing a given scenario, including an adequate pref- 
erential strategy, is to determine the set of statements characterizing the 
preferred concluding states. 

Let us recall that a scenario for an agent i denoted by SCD(i, {'ypre}Sc{'ypost}) 
reflects the sequence Sc = <a\, . . . , Q!„> of actions to be performed by an agent 
i, ak& Ac, k = l, . . . ,n, with a precondition 7p^e and a postcondition ^post- 
Intuitively the precondition 7p^e and the postcondition ^post indicate initial 
and final observations (including the agent’s goals), respectively, i.e. statements 
which represent knowledge, abilities and/or opportunities of both the agent i 
and some other agents. 

Definition 6.1 (Model for a scenario realization) 

Let At be a Kripke model and SCD(i, {'ypre'\Sc{'ypost\)^^ a scenario for an agent 
i. We say that At is a model for a scenario SCD realization (a model of SCD, 
for short) iff there exist two states si , S 2 G S' such that 

zA( , [= 7 p|.g and At , S 2 1= 7po5t 5 

— S 2 G r* (i, 5c)(si) and c*(i, 5c)(si) = 1. □ 

By MOD(SCD) we denote the class of all models of a given scenario SCD. 

6.1 Preferred models of a scenario realization 

Having determined the set of Kripke models of the scenario, we are in a posi- 
tion to choose those models which reflect a preferential strategy adequate for a 
considered type of scenario. As we focus on the generic scenario in this paper , 
the preferential strategy amounts to the minimization of atypical performances 
of actions from this scenario. 

Note that in a given model A1 of a scenario SCD, the sequence Sc of actions 
may be decomposed into atomic actions (number of atomic actions differs in var- 
ious scenario realizations due to nondeterminism of actions) . The idea is to count 
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atypical atomic action executions during a particular realization of a scenario. 
Our preferential strategy amounts to selecting models of a scenario realization 
with minimal numbers of atypical state transitions (i.e. those corresponding to 
atypical performance of a Zi-action). 

To formalize these ideas we introduce some auxiliary notions. 

Given a Kripke model A 4 = (S, val, R, r, t, c) we define a transition penalty func- 
tion p : ^x^tx5x5^-lN given by 

{ 0 iff S 2 cr)(si) and c(i, Q!)(si) = 1 

1 iff S2 €?■(*, a) (si), S2^t{i,a){s2) and c{i,a){si) = l 
+00 otherwise 

The underlying intuition is as follows. For an agent i, an atomic action a and 
two states si and S2, we impose zero “penalty points” whenever the agent i 
is capable to perform a in a state si and a typical performance of a leads to 
the state S2- However, if it performs a atypically resulting in a state S2, then 
we impose one penalty point. In other cases infinitely many penalty points are 
imposed (e.g. the agent i is not capable to perform a in a state si or a state S2 
is unreachable for it by execution of a). 

This function can be extended for compound actions in the following manner. 
The function p* : ^ x x 5 x 5 ^ IN is defined as follows 

p* (i,ai;a2,si, S2) = min{p* (i, ai,si, s) -\-p*(i, 02, s, S2)} 

sES 

( p*{i,ai, 81,82) iffAI|=(y9 
p*{i, if then a\ else 02 fi, Si, 82) = < 

yp*(i,a2, 81,82) otherwise 

k — 1 00 

p*(i, while (p do a od, si,S 2 ) = _min Vp*(i,Q!,s',s'+i), where S= (J S* 

and Sk is a set of all sequences S(;;,) =< Sq, . . . , sjj, > of states such that 
8Q = 8i,8'f.=82,M,82\=^p, and for cach j = 0 , . . . , — 1 , M,8j\=p 

Defining the function p* for a sequential composition, all states in a given 
Kripke structure are considered as intermediate states resulting from the per- 
formance of ai in a state si by an agent i. Then penalty points imposed on 
the corresponding two transitions are added. A minimal number of these points 
determines a global number of penalty points for a sequential composition. 

For a repetitive composition a minimal number of atypical state transitions is 
defined in the following way. We consider every sequence of states < sj,, . . . , sj;, > 
(of any length k) that ends in a state 82, where results from a performance 
of a in s' and the condition p holds in each state of this sequence except the 
last one. Adding penalty points corresponding to each intermediate transition 
we count a “penalty” for this sequence. A minimal penalty obtained for these 
sequences determines the number of penalty points for a repetitive composition. 
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For a model Af of a scenario, the transition penalty function p*{i,a,si,S 2 ) 
determines for an agent i the minimal number of atypical atomic Zi-actions which 
occur during performance of the action a leading from si to S 2 - 

Given a Kripke model M and a scenario SCD(i, {7pre}5'c{7po5f}) we define 
a penalty function : 5 x 5 IN as follows 






+ 00 iff M, Si ^^pre or M,S 2 ^^post 

p*{i, Sc, 81 , 82 ) otherwise 



This function determines for the agent i a minimal number of atypical state 
transitions which occur during realization of the scenario SCD. 

Given a Kripke model M and a scenario SCD(i, {7pre}5'c{7po5f}) for an agent 
i, the value 

PK(Af,SCD)= min P^Jsi,S 2 ) 

Si,S2ES 

is said to be the penalty value for a scenario SCD in a model A4. 



Example 6.1 Consider the following scenario for an agent i: 

SCTt{i,{'ypre'\ A-,B',C {'ypost]), where A, B and C are atomic actions. 

Let M be the Kripke model depicted in Fig.l, where typical (and certain) 
transitions are denoted by thickened vectors. 

Suppose that the precondition 7p^e holds in the state si , but it is not satisfied 
in s2. Furthermore, assume that the postcondition ')post holds in the state sn 
but does not in states sio and Si 2 - 




Fig.l 
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In order to realize the scenario and to reach the state sn, the agent i has the 
five possibilities corresponding to the following sequences of states: 

Pi ‘^^15^35^65^11 ^ 

P 2 =< SI5 S35 S75 Sll > 

Pa =< S15 S45 S75 sii > 

Pa ‘^^15^45^85^11 ^ 

Pa ‘^^15^55^85^11 ^ 

It is easily noted that only one atypical transition occurs on the first three 
paths, whereas there are three such transitions on the path p4 and two on the 
path P5. Thus the penalty value for this scenario in M is PV (AI5 SCD) = 1. □ 

Having determined the penalty value for a scenario SCD in M we are in a 
position to prefer models of SCD. 

Definition 6.2 (Preferred model) 

Let SCD be a scenario and Mi, M2 G Ml be Kripke models. We say that M\ 
is preferred over M2 with respeet to the seenario SCD, written Mi diSCD M2, 
iff Mi5M2GMOD(SCD) and Py(Afi, SCD) <Py(At25 SCD). □ 

Given a scenario SCD for an agent i we write PMOD(SCD) to denote the 
class of all preferred models for SCD. Obviously, what we are actually interested 
in is the set of conclusions entailed by the given scenario SCD. As expected, this 
set is to be defined in terms of preferred models. 

6.2 Scenario completion 

By seenario eompletion we understand the operation of taking the scenario de- 
scription, performing this scenario using the adequate nonmonotonic preferential 
strategy and concluding as much as possible from the resulting conclusion states. 



Definition 6.3 (Conclnsion states) 

Let SCD be a scenario for an agent i and M G PMOD(SCD) be a Kripke model. 
Conelusion states for SCD in M, written Conc(SCD, At), is the set {s € 5 : 
P^-^^(s',s)=PK(At,SCD) for some s'g5). □ 

Definition 6.4 (Preferential Entailment |Ri) 

Let SCD be a scenario for an agent i and let /3 G T be a formula. We say that 
SCD preferentially entails ( 3 , written SCD |?s/ 3 , iff for each M G PMOD(SCD) 
and for each state s G Conc(SCD, At), M,s\=(i. □ 

The following definition specifies the set of desirable conclusions resulting 
from realization of a given scenario. 

Definition 6.5 (Scenario completion) 

Let SCD be a scenario for an agent i. A set T(SCD) = {(3 ■ SCD |~/ 3 ) is called 
a seenario eompletion for SCD. □ 
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7 Conclusions and Directions for Future Work 

In this paper we semantically investigated a nondeterminstic actions with typical, 
but not necessarily certain, effects. We show how to incorporate this new kind 
of actions into epistemic/dynamic multi-agent system. 

In the AI literature actions are usually studied in the context of scenarios. 
We focus on scenarios reflecting a typical pattern of behaviour of a rational 
agent in a multi-agent system. To capture nonmonotonic aspects of scenarios, 
their realizations are modelled by defining a preferential strategy which can be 
viewed as a minimization of atypical performances of actions. As a final step of 
reasoning about a scenario we determine the set of desirable conclusions to be 
derived from it. 

In our formalization of actions and in reasoning about scenarios, the epistemic 
part represented by the K operator remain inactive. In future, the agent’s knowl- 
edge may be used in the planning process, during inference about the agent’s 
abilities and opportunities, and also when considering actions which may change 
the agent’s mind. 

There are still several topics that need to be studied. To adequately capture 
the variety of problems appearing during reasoning about action and change, 
our most important goal is to resolve the frame problem and the ramification 
problem in the framework presented in this paper. Next, formal properties of our 
formalism, as well as should be investigated. Finally, different kinds of scenarios 
built over A-actions with corresponding preferential strategies may be studied. 

Another line of reserch is strictly related to multiagent systems paradigm, 
namely to Beliefs, Desires and Intentions - architectures. In cooperative problem 
solving, collective and social aspects of informational and motivational attitudes 
received a lot of attention lately (see [5], [1]). When considering teamwork, next 
step is to design actions to be performed by groups of agents. Also social and 
collective action with typical effects should be viewed as first class citizens in 
near future. 
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Abstract. We present a first-order formalism for dealing with agents’ 
cognitive attitudes in a dynamic setting. We first extend our ontology 
in order to represent agents’ beliefs and goals. These mental attitudes 
are expressed in the situation calculus by means of accessibility fluents 
that represent accessibility relations among alternative situations. Then, 
we consider changes of mental attitudes in a dynamic and incompletely 
specified world. Changes may be caused either by the evolution of the 
external world or by the acquisition of new information. In particular, 
acquisition of information that modify agents’ cognitive attitudes is ex- 
pressed by cognitive actions. The effects of cognitive actions are char- 
acterized by suitable axioms, thus providing a model for the evolution 
of the alternative situations and the accessibility fluents. We discuss our 
proposal and compare our model of change with the characterization of 
Belief Revision postulated by Gardenfors. We Anally introduce the prob- 
lem of describing agents in a dynamic environment, and briefly sketch a 
possible extension of the theory that copes with this problem. 



1 Introduction 

Most of AI problems need to cope with real domains, where the environment 
can dynamically change, and where the state of affairs cannot always be com- 
pletely specified. For instance, theories of actions often deal with a world that 
evolves in a dynamic way, and that in general may be not completely known. Re- 
cently, some AI problems have been effectively analyzed within the paradigm of 
Intelligent Agents (see [27] for a review), viewed as autonomous entities charac- 
terized in terms of their cognitive attitudes. Thus, from one side much effort has 
been devoted to develop theories of actions for representing dynamic settings, 
and, from the other, to theories of agents accounting for cognitive attitudes. In 
general, much work on theories of agents can be built on top of an underlying 
theory of actions, where agents are seen as interacting entities within a dynamic 
environment. 

In last years, a renewed consideration has been given to the situation calculus 
as a logical formalism for the definition of both a theory of actions and a theory 
of agents. Reiter [20], elaborating on previous accounts, provides a new solution 
to the frame problem. This allows the representation of a dynamic environment 
by axiomatizing the initial state of affairs, along with the preconditions and 
effects of the execution of actions. Moreover, this theory can be straightforwardly 

J.-J. Ch. Meyer, P.-Y. Schobbens (Eds.): Formal Methods of Agents, LNAI 1760, pp. 157-172, 1999. 
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translated into a logic programming language, GOLOG [11], where it is possible 
to specify also complex actions and programs. Finally, Scherl and Levesque [22] 
give an account of a knowledge attitude and of knowledge-producing actions in 
the situation calculus. 

The aim of this paper is to further develop this research by dealing with other 
aspects of agents’ cognitive state. We start by extending the theory of actions 
in order to deal with a generalized concept of situations, representing agents’ 
alternative views of the world, and by explicitly modelling the effects of actions 
on the alternative situations. Next, we focus on the representation of beliefs and 
goals in this framework. We first consider the updates of agents’ cognitive state 
resulting from changes, due to physical actions affecting the external environ- 
ment. Then, we deal with the evolution of agents’ mental attitudes. We provide 
a set of cognitive actions explicitly affecting agent mental attitudes and we for- 
malize a model of belief revision that complies with principles widely accepted 
in the literature. Finally, we discuss the problem of describing the behaviour of 
agents in our framework. This is an interesting problem disregarded, in general, 
by most existing theories of agents that focus rather on the specification or pre- 
scription of the behaviour of agents. We start by briefly reviewing in Section 2 
the situation calculus and the solution proposed by Reiter to the frame problem. 
Then, in Section 3 we introduce a set of mental attitudes for agents, extend- 
ing our ontology in order to provide them with a semantics. In Section 4, we 
formalize the change of these mental attitudes, and in Section 5 we show how 
this model for change relates to other literature. Finally, in Section 6 we briefly 
tackle the problem of describing agents, and extend the ontology in order to deal 
with this task. In the last section we conclude this presentation with a general 
discussion, and a comparison with some related work. 

2 The Situation Calculus 

The language we consider is a reified many sorted first-order language with equal- 
ity, built on the following ingredients. Five sorts: agent, sit, action, fluent, and 
object, respectively, for agents, situations, actions, fluents, and anything else. 
A finite number of functions and predicates including the three following ones. 
A ternary function do(ag,a, s) from agent x action x sit to sit, denoting the 
situation resulting from agent ag performing action a in situation s. A ternary 
predicate Poss(ag, a, s), defined on agent x action x sit, stating whether or not 
action a is possible for agent ag in situation s. A binary predicate Holds{f,s), 
defined on fluent x sit, stating that a fluent / is true in a situation s. Intu- 
itively, fluents are used to define properties changing from one situation to the 
future ones. A description of the state of the world in a given situation s is 
simply obtained by considering fluents / that hold in situation s, i.e., that make 
predicate Holds{f, s) true. The evolution of the world state is thus described by 
new fluents holding in the new situation resulting from the action that has been 
performed. We start from an initial situation Sq, whose properties may be stated 
through fluents holding in Sq. When an action a is performed in Sq by an agent 
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ag, a new situation do{ag, a, Sq) is obtained, where fluents hold possibly different 
from those holding in Sq. As discussed by Pinto in [16], this reified version of the 
situation calculus, where fluents are introduced as terms of the language rather 
then as predicates, can be shown to be substantially equivalent to the non-reifled 
version. Furthermore, in [2] we show an extension of the language that allows 
for a full first-order reification (with quantifying-in) . 

In Reiter’s proposal, where a solution to the frame problem is provided, the 
evolution of the state of the world may be specified by defining a logical theory 
with two kinds of axioms: Aetion preeondition axioms, specifying for each action 
all and only the conditions under which it can be performed; Sueeessor state 
axioms, stating for each fluent necessary and sufficient conditions under which 
actions affect its truth value. For instance, the action precondition axiom for 
action switchOn(c) that allows an agent to switch computer c on, may be of the 
form:^ 

Poss(ag, switchOn(c), s) = Computer(c) A Holds(functicming(c), s). 

This axiom says that in a certain situation only computers that are functioning 
can be switched on. Thus, this approach requires that all the conditions or 
qualifieations that define the possibility to perform an action be specified in the 
axiom. Hence, it ignores minor qualifications and leaves room to the well known 
qualification problem, as first pointed out by McCarthy in [14]. 

Likewise the effects of actions, under certain conditions, can be lumped to- 
gether yielding a successor state axiom. For instance, the fluent functioning can 
have the following successor state axiom: 

Poss(ag, a, s) 

Holds(functicming(c), do(ag, a, s)) = Computer(c) A a = repair(c) V 

Holds(functicming(c), s) A a ^ hammer(c). 

That is a computer will be functioning after an action if it gets repaired by 
that action, or it was functioning before, and the action did not consist of ham- 
mering it. This approach relies on what Reiter calls the Causal Completeness 
Assumption, which amounts to demanding that all the causal laws affecting the 
truth values of a fluent be specified. In this case he shows a systematic proce- 
dure to generate the parsimonious representation provided by the successor state 
axioms. 

^ We adopt the following conventions. We always assume all variables fall in the scope 
of a quantifier, and sometimes omit the universal quantification, with the stipula- 
tion that formulas with free variables are always implicitly universally quantified. 
Iterated quantification over variables vt^ ■ ■ ■ vt„ , e.g., 3w(j . . . can be simplified 
to 3«tj . . . vt„ or also 3w. Likewise, a formula , ■ ■ ■ , vt „ ) can also be denoted as 
4>{v). As for the other connectives, we sometimes drop parentheses assuming that A 
and V bind more strongly than — )• and = (e.g., a A/3 — )• 7 stands for {aA0) — )• 7 and 
a = / 3 V 7 stands for a = (/ 3 V 7 )), and is stronger than any other connective. Finally, 
for the sake of readability, we generally use capitalized names to denote predicate 
and constant symbols, and lower case names for function symbols and variables. 
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In addition, it is required that unique name assumptions be postulated for 
fluents and actions. Furthermore, in order to have the correct semantic charac- 
terization of situations, some extra axioms are needed. In particular, a set of 
foundational axioms ensures a tree-like structure for situations. As shown by 
Reiter in [21], a second-order axiom that expresses induction on situations is 
needed to provide the intended characterization, ruling out non-standard mod- 
els. Anyway, Lin and Reiter show [12] that reasoning tasks, like querying or 
projecting a knowledge base, can be performed in many cases by relying only on 
a subset of the axioms expressed at first-order. 

3 Mental Attitudes in the Situation Calculus 

In this work we focus on agents’ beliefs and goals as basic mental notions. In a 
related paper [4] we show how to express a more general set of attitudes rel- 
evant to an agent-based approach that we propose for the problem of User 
Modelling. Mental attitudes are represented by cognitive fluents defined on 
agent x situaticni. The first fluent, believes is used to represent those facts that 
agents consider as true in a given state. Beliefs may be defeasible, i.e., may be 
withdrawn in future states, if simply more information is provided. The second 
fluent, wants, deals with agents’ objectives; these represent properties of the 
world that agents consider as desirable ones. We do not make any assumption 
here on the relation between agents’ objectives and the action they perform, i.e., 
on agents’ rationality . 

Then, we consider a possible- worlds setting for providing these cognitive flu- 
ents with a definition. The intuitive idea behind the introduction of possible 
worlds in the situation calculus, due originally to Moore [15] and Scherl and 
Levesque [22], is the following one. In order to express cognitive attitudes, in- 
stead of considering single situations, we consider sets of alternative situations 
representing alternative states of affairs according to agents’ mental model of 
the world. Thus, different situations are used to represent both static and dy- 
namic features. On the one hand they capture, in a static mode, properties of 
different contemporary states of affairs conceived by agents. On the other hand, 
in a dynamic view, properties of states evolving under the effect of actions are 
represented through different situations. In the sequel, in order to stress this 
different use of a situation, we sometimes refer to it as an alternative when it 
is used to provide alternative static properties, or as a state when it is used to 
provide dynamic properties resulting after some action gets executed. 

In [2] we provide a new set of foundational axioms that extend to our al- 
ternative situations setting those proposed by Reiter [21] to provide a suitable 
semantic characterization of situations. 



3.1 Accessibility Fluents 

In our development of the possible situations setting, at a given state each agent 
is associated with a set of contemporary alternatives, i.e., a cluster. Alternatives 
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represent agents’ different views of the world that are relevant to express their 
mental attitudes. Clusters are expressed by an accessibility fluent, among situa- 
tions, A, defined on agent x sit. We say that Holds{A{ag, s'),s) is true iff s' is in 
the same cluster of s for agent ag, or, equivalently, s' is a conceivable situation 
from s for agent ag. We allow an agent to be related to the same cluster in situ- 
ations corresponding to different dynamic evolutions. For instance, agents keep 
their cluster unchanged when an action is performed, but they are not aware of 
it. A given state of affairs is thus represented by a situation s, describing the 
actual world, and a set of clusters of alternative situations, describing agents’ 
mental state. Intuitively, after an agent ag performs an action a in s, the state of 
the world changes and function do determines the new description represented 
by the situation resulting from ag performing a in the old starting situation. 
Besides, we have a new set of clusters, some of which (those relative to agents 
that are not aware of the action performed) are the same ones relative to the 
old actual situation, and some others (those relative to agents that are aware of 
the action occurred) are composed of situations determined by ag performing a 
in each of the situations belonging to the old cluster. In the next section we will 
give a characterization of fluent A that expresses these ideas. 

Next, we introduce two more accessibility fluents, B and G, defined on sorts 
agent x sit, which are accessibility relations among situations. They are used 
to select subsets of clusters, i.e., situations accessible via relation A (or A- 
accessible), for characterizing the cognitive fluents. Accessibility fluent, B, hold- 
ing in a situation s' , expresses that, owing to suppositions or bias of agent ag, 
s could be a plausible situation when the actual situation is s' . Analogously, 
accessibility fluent, G, holding in a situation s', expresses that situation s is a 
desirable alternative, or a desirable situation, for agent ag in situation s' . 

Relevant features of the world in a given state of affairs are expressed by 
fluents holding in the actual situation; relations among alternative situations 
relative to the same state of affairs are expressed through the accessibility fluents. 
Different fluents may hold when passing from a state to a successive one, and 
thus different relations among alternatives may hold in the new actual state. 
The evolution of the accessibility fluents determines an evolution of the cognitive 
attitudes of an agent. 

Beliefs and wants about a fact can be represented by considering the truth 
values of that fact in the alternative situations. Thus, we state that an agent 
believes or wants a fact in an actual situation s if this holds in all situations that 
are accessible via relation B or G, respectively, from s, as stated by the following 
formal definitions: 

Holds(believes(ag,p), s) = \/s' Holds(B(ag, s'),s) Holds(p,s') 



Holds(wants(ag,p),s) = \/s'Holds(G(ag,s'),s) Holds(p, s'). 

We stress the fact that, as Scherl and Levesque in [22], cognitive fluents are not 
considered as new fluents of our ontology. Instead, they are defined as abbrevia- 
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tions, or macros, of formulas involving the accessibility fluents.^ These are in fact 
the only fluents that need to be introduced to characterize cognitive attitudes. 
Anyway, in the sequel, we allow cognitive fluents to appear within formulas of 
the situation calculus. 

4 Characterization of Mental Attitudes 

In another work [4] we have discussed constraints on the accessibility fluents 
that determine a reasonable behaviour for the cognitive concepts built on top of 
them. In particular, we give the following: 



Definition 1 . We postulate the following properties characterizing accessibility 
fluents: 

1. Holds(A(ag, S2), si) A Holds(A(ag, S3), S2) Holds(A(ag, S3), si); 

2. Holds(A(ag, S2), si) A Holds(A(ag, S3), si) Holds(A(ag, S3), S2); 

3. Holds(B(ag, S2), si) A Holds(B(ag, S3), S2) Bolds(B(ag, S3), si); 

4. Bolds(B(ag, S2), si) A Bolds(B(ag, S3), si) Bolds(B(ag, S3), S2); 

5. Bolds(B(ag, S 2 ), si) Bolds(A(ag,S 2 ),si); 

6. Bolds(G(ag, S 2 ), si) Bolds(A(ag,S 2 ),si); 

7. Bolds(A(ag, S2), si) A Bolds(B(ag, S3), S2) Bolds(B(ag, S3), si); 

8. Bolds(B(ag, S2), si) A Bolds(G(ag, S3), S2) Bolds(G(ag, S3), si). 

Properties characterizing conceivability relation, represented by fluent A, are 
transitivity and Euclidicity, expressed by formulas 1 and 2. Likewise, properties 
characterizing plausibility relation represented by fluent B are again transitivity 
and Euclidicity; they are expressed by formulas 3 and 4, and are the same prop- 
erties that characterize frames of modal system K45. Sentences 5 and 6 state 

that two situations are accessible via fluents B or G only if they belong to a 

same cluster. Sentence 7 states that agents have the same plausible-accessible 
situations from conceivable-accessible ones, or, equivalently, that B is transitive 
over A and B. Likewise, sentence 8 states that agents have the same desirable- 
accessible situations from plausible-accessible ones, or, equivalently, that G is 
transitive over B and G. In [3] we show that it is actually sufficient to ensure 
that these constraints on accessibility fluents be met only for the initial clusters. 
In this case the evolution of accessibility fluents, as described in next section, 
does satisfy the constraints also for those clusters reached after the transition 
with successive actions. 

As for the relationship between wants and beliefs, in general, we do not 
require that, in a given state, alternatives accessible by function G be a subset 
of those accessible by B, i.e., we drop what Cohen and Levesque call the realism 
hypothesis [1]. This simply avoids the following two problems (see, e.g., Rao 
and Georgeff [19]) arising in formalisms for goals and beliefs where desirable 

^ Anyway, in [2] we show how it is possible to introduce cognitive fluents formally 
within the full reifled language. 
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worlds are contained in plausible ones: the belief-goal transferenee problem, i.e., 
the fact that any belief must be also a goal; and, the side-ejfeet problem, i.e., 
the closure of goals under belief implication. Anyway, the choice of dropping 
such hypothesis does not appear here so counterintuitive as it may be when 
plausible or conceivable alternatives contain also the future evolutions of the 
current state. ^ In fact, we consider that alternatives are always contemporary. 
Thus, the fact that an agent desires an alternative that it does not consider 
plausible does not imply that it considers that situation, or better a different 
one where the same fluents hold, is never to be reached in the future. 

As we show in the sequel, in order to express change of mental attitudes, 
A-accessible situations may contain, in general, alternatives that are neither 
plausible nor desirable. When actions are performed, the world evolves in a new 
state where, in general, different fluents hold. In this new state, we consider 
the change for two different kinds of properties: physieal fluents describing the 
state of the real world, which are affected by physical actions on the real world, 
and accessibility fluents which are affected by informative actions, or eognitive 
aetions, which determine changes on agents’ mind. 

4.1 Evolution of Physical Fluents 

Physical actions, do not affect directly accessibility fluents, but determine changes 
in the real world. Now, suppose that F is a physical fluent, whose successor state 
axiom, according to the solution to the frame problem proposed by Reiter for 
the single agent case in [20], is of the form: 

Poss{a,s) {Holds{f{x),do{a, s)) = ^^{x,a,s)\/{Holds{f{x,s)A^^J{x,a,s))}. 

Where 'yj{x,a,s) is a formula that states the conditions that make Holds{f) 
true, and 'yjix, a, s) states the conditions that make Holds{f) false, after action 
a is performed. This axiom can be easily generalized to the multi-agent case by 
suitably providing the extra argument of sort agent. Besides, in the alternative 
situations setting, it suffices to let it apply to all of the different alternatives, as 
stated by the implicit universal quantification over situations. In this case, as 
shown in next section, accessibility fluents allow the selection of those alterna- 
tives that are relevant to describe an agent’s attitudes. Note that the evolution 
of physical fluents may affect the cognitive fluents relatively to agents that have 
some alternative that is accessible through accessibility fluents where some fluent 
has changed. Other changes of cognitive attitudes are described in next section. 

4.2 Evolution of Accessibility Fluents 

We first distinguish the case where an agent is aware of the effects of an action 
performed from that where it is not. In fact, in the former case we also have to 

® On the contrary, a similar choice is less intuitive for frameworks where possible worlds 
contain all the future evolutions of the current state. For instance, the choice of weak 
realism of Rao and Georgeff [19] implies that agents desire or intend also worlds that 
they consider never to be reached. 
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account for a change in agent mental state. We introduce a predicate, Aware, 
defined on agent x agent x action x sit, stating that an agent is aware of the action 
performed by another agent in a given situation and that it is also aware of the 
effects that that action brings about. Thus, it becomes possible to characterize 
the evolution of clusters by defining a suitable successor state axiom for fluent 
A: 

Poss(ag,a,s) ^ (1) 

{Holds( A(agi , si), do(ag, a, s)) = 

(-<Aware(agi , ag, a, s) — )• Holds(A(agi, si),s)) A 

(Aware(agi ,ag,a,s) 3s2 . (si = do(ag, a,S 2 ) A Poss(ag, a, S 2 ) A 

Holds(A(agi, S2),s))}. 

What this axiom states is that when an action is performed the new cluster 
associated with an agent in the resulting state is equal to the same one it was 
associated with in the starting situation, if it is not aware of the action performed. 
Otherwise, if it is aware of the action, the cluster is made of alternatives resulting 
from applying function do to those alternatives of the starting cluster where 
the action is possible. In [2] we prove that this successor state axiom actually 
captures the intuition about clusters discussed above. 

Then, we provide a model of the change of the accessibility fluents, and hence 
of the cognitive fluents, when some cognitive action modifies mental attitudes 
of an agent. We extend our ontology by introducing some cognitive actions that 
determine the evolution of agents’ attitudes. We consider actions involving only 
one agent and expressing atomic changes like adding, removing or revising a 
belief or a want. We restrict changes to simple terms, i.e., facts that do not 
contain cognitive fluents, and do not have arguments of sort sit^ This avoids 
complications and problems arising when revising beliefs of beliefs, as exemplified 
in [26]. Thus, given a simple term p, we consider the following kinds of cognitive 
actions: expandsip) and expando(p), to express that a new fact p is added 
to agent ag’s beliefs and wants, respectively; ccmtractB(p) and ccmtracto(p), 
expressing that a fact p is to be removed from (those facts that could be inferred 
from) the beliefs and goals of agent ag, respectively; reviscBip) and reviseo(p), 
to express that a new fact should be consistently added to agents ag’s beliefs 
and goals, respectively. This means that possibly fact ^p should be removed 
from (those facts that could be inferred from) the beliefs and goals of agent 
ag, respectively, before adding fact p. In the sequel we shall characterize the 
effects of the expansion and contraction action only. For the revise action it is 
possible to rely on these solutions. In fact terms containing revise actions can be 
expanded by applying Levi’s identity (see, for instance, [6]) expressing revision 
by a contraction and an expansion performed in sequence: 

do(ag, revise(p),s) = do(ag, expand{p) , do(ag, contract{^p) , s)). 

* Elsewhere [2] we tackle the problem of dealing with cognitive actions concerning 
expressions that contain also cognitive attitudes. 
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Selection Fluents In order to characterize how cognitive actions affect agents’ 
cognitive attitudes, two selection relations among alternative situations are in- 
troduced. Intuitively, in order to contract a belief (or goal) p, a new set of alter- 
native situations where p does not hold should be added to those B-accessible 
or G-accessible. This expansion of the accessible situations corresponds to a 
contraction of the facts that are believed (or wanted). In fact, as discussed, 
for instance, by Gardenfors in [6], it seems reasonable that this contraction be 
performed in different ways for different agents, relying on some explicit no- 
tion related to agents’ characterization. Thus, recasting in the situation calculus 
ideas developed by van Linder et al. [26] in propositional dynamic logic (PDL), 
we represent this new set of alternatives through selection fluents Sb (or Sq), 
defined on agent x fluent x situation, expressing which situations an agent is 
more inclined to include as new alternatives to the plausible (or desirable) ones 
when a given belief (or goal) must be removed. Then, we consider constraints 
that can be stated for selection fluents, so that beliefs (or goals) holding after 
contraction meet some criteria of rationality, as will be shown in the sequel. In 
particular we allow only selection fluents Sx,X € {B,G} that meet the following 
restrictions:® 

1. Holds(Sx(ag,p,s'),s) Holds(A(ag,s'),s) A Holds(-<p,s'); 

2. (3s'. Holds(X(ag,s'),s) A Holds(-<p,s')) (Holds(Sx(ag,p, s"), s) 
Holds{X{ag, s"), s)); 

3. Holds{^Sx{ag,p,s'),s) = {Holds{A{ag,s”),s) Holds{p,s"))\ 

4. (Holds(A(ag, s"), s) —> (Holds(p, s') = Holds(q, s'))) 

(Holds(Sx(ag,p,s"),s) = Holds(Sx(ag,q,s"),s)); 

5. Holds(Sx(ag,pAq,s'),s) (Holds(Sx(ag,p,s'),s)\/Holds(Sx(ag,q,s'),s)); 

6. {3s'Holds{Sx{ag,p Aq,s'),s) A Holds{^p)) {Holds{Sx{ag,p,s"),s) 
Holds(Sx(ag,p A q, s"), s)). 

The first axiom states that a selected situation must be one of the same cluster 
where ^p holds. Axiom 2 says that if there already exists some plausible situation 
where ^p holds, then the set of selected situations must be contained in that of 
plausible (resp. desirable) ones. Axiom 3 asserts that if p holds in all selected 
situations then it must hold in all those ones in the same cluster. Axiom 4 
states that the same situations are selected for predicates that are equivalent 
in all situations that belong to the same cluster. Axiom 5 ensures that the 
situations selected when contracting a conjunction must be contained in the 
union of the situations selected when contracting each conjunct. Finally, Axiom 
6 states that, according to a minimal change principle, if the set of situations 
selected when contracting a conjunction is not empty, then it must contain the 
situations selected when contracting one of the conjuncts. 

Successor State Axioms for Accessibility Fluents The evolution of acces- 
sibility fluents through states is expressed, as usual, by defining suitable successor 

® Abusing notation, we allow the logical connectives to range over terms of sort fluent. 
In [2] the corresponding term-forming operators, e.g., and or not, are formally 
introduced. 
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state axioms. We assume that only agents who perform a change of cognitive 
attitudes are aware of it. As for B, the axiom can be stated formally as follows: 

Poss(ag,a,s) ^ ( 2 ) 

{Holds(B(agi,si),do(ag,a,s)) = 

(-1 Aware(agi , ag, a, s) Holds(B(agi, si),s)) A 

[ Aware(agi , ag, a, s) 3 s 2 [si = do(ag, a, S2) A Poss(ag, a, S2) A 

[agi ^ ag\/ (a ^ expandsip) t\a^ contractB(p)) Holds(B(ag, S2), s)] A 
[a = expandsip) A ag\ = ag ^ Holds(p, S2) A Holds(B(ag, S2), s))] A 
[a = contractB(p) A agi = ag ^ Holds(SB(ag,p, S2), s))]}- 

Thus, it states that a situation si is B-accessible to agent agi from the situation 
resulting from agent ag performing an action a in situation s iff either we have 
that the agent is not aware of the action performed and si is already plausible 
from s, or, otherwise, the agent is aware, and si is the result of ag performing a 
possible action in a situation S2- Moreover, one of these three conditions holds. 
The action is neither a contraction nor an expansion performed by agi and S2 
is plausible from s. The action is an expansion of a fluent p performed by agi 
itself and both S2 is plausible from s and p holds in S2- Finally, the action is 
a contraction of a fluent p performed by agi itself and S2 belongs to the set 
of situations selected by the selection function for the fluent p. Likewise, G is 
characterized by a similar axiom obtained by replacing B with G. 

5 Analysis of the Model of Dynamic Attitudes 

In this section we compare our framework dealing with dynamics of agents’ 
cognitive attitudes with the postulates proposed by Gardenfors in [ 6 ]. The fact 
that our model complies with the postulates defined for belief revision provides 
a rationality justification and a cognitive commitment for the model we propose. 

Given an agent ag, a situation s and an accessibility fluent X € {B,G}, 
we define a belief (goal) eognitive set EB(ag,s) (EG(ag, s)) as the set of simple 
terms p that are believed (wanted) in situation s. From the fact that distribution 
holds for all accessibility fluents, it becomes evident that cognitive sets are closed 
under implication, and thus comply to the definition of (possibly absurd) belief 
sets given in [ 6 ] . 

In the sequel, we list a set of properties holding for cognitive sets that are the 
analogs of the postulates proposed by Gardenfors for belief revision, adapted to 
our framework. We start with properties of cognitive sets Ex{ag,s) concerning 
actions expandxip) X € {B,G}, and holding for any agent ag, situation s and 
simple term p. 

Proposition 2 . The following relations hold: 

1 . Ex(ag,do(ag, expand x(p),s)) is a eognitive set; 

2 . p G Ex(ag, do{ag, expandxip), s)); 
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3. Ex{ag,s) C Ex{ag,do{ag,expandx{p), s)); 

4 . if p G Ex(ag,s) then Ex(ag,s) = E x {a g,do{ag, expand x{p),s)); 

5. if Ex(ag,s) CEx(ag,s') then Ex (ag,do(ag, expand x(p), s)) C 
Ex(ag, do(ag, expandx{p),s')); 

6. Ex(ag,do(ag,expandx(p),s)) is the smallest set satisfying the above prop- 
erties. 

Similarly, provided that axioms of Section 4.2.1 hold, we can prove properties 
corresponding to those defined in [6] for cognitive sets Ex{ag,s) concerning 
actions contractx(p) X G {B, G}, and holding for any agent ag, situation s and 
simple term p. 

Proposition 3. The following relations hold: 

1. Ex(ag, do(ag,ccmtractx(p), s)) is a eognitive set; 

2. Ex(ag, do(ag,ccmtractx(p), s)) C Ex(ag,s); 

3. if p ^ Ex(ag,s) then Ex(ag,s) = Ex(ag,do(ag,ccmtractx(p),s)); 

4- if -<Holds(A(ag, s'), s) Holds(p, s') thenp ^ Ex(ag,do(ag,ccmtractx(p),s)); 

5. ifp G Ex(ag,s) then Ex(ag, s) C Ex(ag,do(ag, expand x(p),do(ag,ccmtr act x(p),s))); 

6. if Holds(A(ag, s'), s) (Holds(p, s) = Holds(q, s)) then 
Ex(ag,do(ag,ccmtractx(p),s)) = Ex(ag,do(ag,ccmtractx(q),s)); 

7. Ex(ag,do(ag,ccmtractx(p),s)) n Ex(ag,do(ag,ccmtractx(q),s)) C 
Ex(ag, do(ag, ccmtractxip A q), s)); 

8. if p ^ Ex (ag,do(ag, ccmtractxip q),s)) then 
Exiag,do(ag,ccmtractxip q),s)) C Exiag,do(ag,ccmtractxip),s)). 

6 Describing Agents 

In general, theories of agents can be exploited for quite two different tasks. On 
the one hand, designing an agent is the task addressed by most of the exist- 
ing formalisms proposed in the literature. It implies the view of an agent under 
an internal perspective, namely the standpoint of the agent itself. The main 
aim is to take into account agent cognitive state in order to determine how an 
agent ought to effect changes in the environment. Thus, designing agents can 
be roughly described as the problem of defining how communication affect the 
mental state of the agent, and how the cognitive state determine the actions per- 
formed by the agent. In this sense, the character of these theories is preseriptive, 
for they define what an agent should do, or at least should try to do. 

On the other hand, the task of modelling an agent has been rather disregarded 
in the literature. In this case the perspective is external, namely of someone that 
observes agents. The aim is to describe what the content of agents’ cognitive state 
could be, based on the observed behaviour. Thus, modelling assumes now a more 
deseriptive character. This task implies as before the definition of relationships 
between communication and the mental state of the agent. But, the other type of 
relationship, i.e., between cognitive state and the actions performed, becomes less 
interesting. This happens because now the aim is to find out a description of the 
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cognitive state of the agent, based on the actions observed. Thus, as also noted 
by Haddadi [7], unlike external theories, internal theories are not concerned, in 
general, with providing a basis for the rational formation and achievement of 
intentions. For instance, problems like planning may be thought of as having 
the aim of designing agents. Here what is needed is roughly to determine a 
behaviour, or program, that brings to a certain goal, given a specification of the 
current state, and a model of the hypothetical futures of a state. A different 
problem instead is tracking, or executing, agents, i.e., determining the state that 
has been actually reached after performing certain actions in some initial state. 
This problem is crucial to many important applications based on modelling or 
verifying systems where mental attitudes play some role (see, for instance [5]). 

In [2] we further develop our theory of agents and present a framework for 
modelling agents related to the problem of User Modelling. In order to provide 
the ability to describe agents, we introduce there two new predicates Actual 
and Performs. In this limited exposition we only briefly sketch the intuition 
underlying the former predicate. Actual takes a sit argument and has a twofold 
meaning. First, a situation is actual if it represents the real world, independent 
of agents’ biases and desires. Thus if we want to examine which features de- 
scribe a given state, we have to take into account properties (fluents) holding in 
the corresponding actual situation. Furthermore, this predicate is also intended 
to single out a path of situations that have already occurred. Thus, an actual 
situation is meant to be the result of a sequence of actions that have been ac- 
tually performed (by a set of agents). A similar notion, outside the context of 
alternative situations, has been used by Pinto in [16], where he notes that this 
allows the selection of a path of situation among the many branches describing 
the possible courses of events. Axioms for this predicate state that an actual 
situation can only have a predecessor that is actual as well, and that each actual 
situation has at most an actual successor: 

Actual(do(ag, a, s)) Poss(ag, a, s) A Actual(s); 

Actual(do(ag, a, s)) A Actual (do(ag' , a' , s)) —> ag = ag' A a = a' . 

An actual situation of the form do(ag, a, s) expresses that ag has actually per- 
formed a in s. Besides, also the “predecessor” s must be actual and if this is 
still of the form do{ag' , a' , s') we determine a sequence of actions/agents up to 
an initial situation. Thus it is possible to reason on the past of a given state and 
not only on its future. For instance it is now possible to specify formally the 
condition expressing that only agents who change their cognitive attitudes are 
aware of it, as we demanded before introducing Axiom 2, i.e.: 

Actual (do(ag, a, s)) A(a = contractxip) V a = expandx(p))) 

(Aware(ag, ag' , a, s) = ag = ag') 

for X e {B, G}. Moreover, by means of this predicate it is possible to single out 
one situation, among the many alternatives, thus describing the real state of the 
environment, and hence of agents’ cognitive state. 
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7 Conclusions and Discussion 

We have developed a first-order formalism for dealing with agents’ beliefs and 
goals. In particular, we have taken into consideration the dynamics of mental 
attitudes, as a consequence of both changes in the external world and cognitive 
inputs. One of our ongoing objectives is to use the changes of the cognitive 
notions presented here for representing communicative acts among agents, such 
as those discussed by Mayfield et al. in [13]. Interesting applications could be in 
the area of User Modelling and Student Modelling, as we show in [4,3]. Work 
is in progress to provide significant applications of the framework presented for 
modelling the interactions between an interactive systems and users [2]. 

A limit of our notion of goals is that we do not consider the possibility to 
express temporal relations among goals. For instance, it is not possible to state 
that an agent has a certain goal only after another goal has been achieved. 
Anyway, in this case, a possible extension dealing with this aspect could be 
conceived by replacing alternative desirable situations with alternative paths, 
i.e., alternative sequences actions-situations describing possible future courses of 
events. Besides, as we are mainly concerned with modelling agents, where actions 
are already given as input to the problem, as opposed to designing agents, where 
actions need to be determined, no relation between goals and action has been 
explicitly modelled. A possible way to represent such a relation could be given by 
forcing some constraints between plausible and desirable situations, analogously 
to what is done, e.g., by Rao and Georgeff in [18]. 

Our work follows for many aspect the logical approach to agent program- 
ming carried on by Lesperance et al. in [10]. Anyway, that work is concerned 
with programming agents as opposed to our aim of modelling them. Besides, 
in that work only agents’ knowledge is considered, and other mental attitudes 
are not dealt with. Lesperance et al. focus on the possibility to handle percep- 
tual actions among agents, and discuss an application for a meeting schedule 
problem. On the contrary, we have considered and characterized more basic cog- 
nitive actions. In [23], Shapiro et al. introduce, under the same logical approach, 
a cognitive attitude accounting for one agent’s goals, and express a concept of 
rationality that binds goals to actions. Though goals, defined as a second-order 
abbreviation in terms of future paths, seem to allow also for the representation 
of future objectives, they consider only a single agent case, and do not account 
for cognitive actions. Konolige and Pollack [9] refer to a definition of intentions 
based on minimal modal models, along with a normal modal operator for rep- 
resenting beliefs. Suitable relations between these operators prevent from the 
side effect problem. However, their framework fits only static situations where 
no dynamic acquisition is dealt with. Rao and Foo [17] define modal operators 
to represent cognitive actions in temporal modal logic and apply them in or- 
der to reason about actions. A semantical characterization of cognitive actions 
is given in terms of selection functions for expansions and contractions. The 
characterization of change due to action they give is based on revision, and 
does not account for the difference between revision and update pointed out by 
Katsuno and Mendelzon in [8]. Many ideas about how to perform revision in 
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a possible-worlds setting have been drawn from van Linder et al. in [26]. Any- 
way, in their work no account is given to goals (but see van Linden et al. [25] 
for an account of motivational attitudes) and their aim is to define a theorist 
logic for specifying and reasoning about agents rather than modelling them. Due 
to the different underlying formalism, i.e., situation calculus versus PDL, other 
differences can be pointed out between the two approaches. First, we note that 
our characterization of agents’ attitudes is first-order and not modal. Thus, the 
various methods for automated deduction developed for first-order theories can 
be directly exploited for reasoning in our framework. Moreover, as we highlight 
in [2], a main difference between situation calculus and modal approaches, is 
that in the former case situations are defined at the syntactic level, whereas in 
the latter case worlds are defined semantically. Thus in the situation calculus it 
is possible to state explicit (first-order) properties of situations, e.g., structural 
relations, even in cases where, according to the Correspondence Theory (see, 
e.g., van Benthem [24]), the same properties are not definable for modal accessi- 
bility relations (that belong to the semantic structures) among worlds. Another 
interesting aspect is that by defining situations as terms, it is possible to keep 
track of the history of the actions performed within the term itself. This feature, 
which is not straightforwardly representable for transitions among states in dy- 
namic logic, is very appealing, especially for modelling purposes where it may 
be important to represent also the past history of interaction. 
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Abstract. In this paper we introduce an agent-based framework for the diag- 
nosis of spatially distributed technical systems, based on a suitable distributed 
diagnosis architecture. We implement the framework using the concepts of vivid 
agents and extended logic programming. To demonstrate the power of our ap- 
proach, we solve a diagnosis example from the domain of unreliable datagram 
protocols. 



1 Introduction 

The advent of large distributed technical systems like computer and telecommunication 
networks has been one of the most striking developments of our time. Research in 
model-based diagnosis has up to now not tackled the question how to support such 
systems by a suitable diagnosis architecture. 

We introduce an agent-based framework for the diagnosis of spatially distributed 
systems. The motivation for such a framework is the unnecessary complexity and com- 
munication overhead of centralized solutions. Consider a distributed system with n 
nodes, e.g. a computer network consisting of n machines. When using a centralized 
diagnosis system the size of the system description (i.e. number of ground formulas) 
is linear in n. Diagnosis time will usually be worse than linear in n [MH93]. Also all 
observations have to be transmitted to the central diagnosis machine, causing a large 
communication overhead. 

Our agent-based approach decomposes a system into a set of subsystems. Each 
subsystem is diagnosed by an agent which has detailed knowledge over its subsystem 
and an abstract view of the neighboring subsystems. Most failures can be diagnosed 
locally within one subsystem. This decreases diagnosis time dramatically in large sys- 
tems. In the case of the computer network most machines in a subnet can usually fail 
without affecting machines in other subnets. Only those computers in other subnets can 
be affected which have sent messages to the faulty machine. Moreover, the local com- 
putation of diagnoses avoids the communication overhead which would be needed to 
forward all observations to the central diagnosis engine. 

Failures which affect more than one subsystem are diagnosed by the agents cooper- 
ating with each other. The cooperation process is triggered locally by an agent, when it 
realizes that it can not explain the observations by a failure in its own subsystem. The 
cooperation process is guided by a small amount of topological information. 

J.-J. Ch. Meyer, P.-Y. Schobbens (Eds.): Formal Methods of Agents, LNAI 1760, pp. 173-186, 1999. 

© Springer- Verlag Berlin Heidelberg 1999 




174 



Peter Frohlich et al. 



We have implemented spatially distributed diagnosis using extended logic program- 
ming [SdAMP96,SW96] and the vivid agents concept [Wag96a,Wag96b]. Vivid agents 
support both the declarative description of the domain by a flexible knowledge base 
component and the speciflcation of the reactive behavior of agents by a set of rules, 
which are activated by communication events. 

To demonstrate the power of our approach we formalize the domain of an unreliable 
protocol (like UDP) in a computer network and diagnose an example scenario. 

2 Spatially Distributed Diagnosis 

In [FN96] semantical and spatial distribution are identifled as the relevant distribution 
concepts for diagnosis. Semantical distribution refers to a situation where the knowl- 
edge is distributed among the agents. Each agent is an expert for a certain problem 
domain. Diagnostic concepts for semantical distribution must rely on external criteria 
rather than cooperation among the agents because the knowledge bases of the diagnos- 
tic agents are not compatible. In this paper we describe spatially distributed diagnosis. 
Distributed technical systems often consist of subsystems which have the same struc- 
ture. So we can describe the subsystems by a common set of axioms. The particular 
properties of the concrete subsystem are defined by logical facts. As we will see, the 
description of the subsystems by a common vocabulary allows us to resolve conflicts 
using cooperation among the agents. After giving a short overview of the necessary 
concepts of model-based diagnosis, we will describe our view of spatially distributed 
diagnosis in more detail. Then we will define the diagnostic conflicts between the sub- 
systems as well as the distributed diagnosis concept formally. 

2.1 Model-based Diagnosis 

In model-based diagnosis [Rei87] a simulation model of the device under considera- 
tion is used to predict its normal behavior, given the observed input parameters. Diag- 
noses are computed by comparison of predicted vs. actual behavior. This approach uses 
an extendible logical model of the device, called the system description (SD), usually 
formalized as a set of formulas expressed in first-order logic. The system description 
consists of a set of axioms characterizing the behavior of system components of certain 
types. The topology is modeled separately by a set of facts. 

We will now define the diagnostic concept mathematically. The diagnostic prob- 
lem is described by system description SD, a set COMP of components and a set OBS 
of observations (logical facts). With each component we associate a behavioral mode: 
Mode{c, Ok) means that component c is behaving correctly, while Mode{c, Ab) (abbre- 
viated hy Ab{c)) denotes that c is faulty. In Consistency-Based Diagnosis, the concept 
we are using throughout this paper, a Diagnosis D is a set of faulty components, such 
that the observed behavior is consistent with the assumption, that exactly the compo- 
nents in D are behaving abnormally. If a diagnosis contains no proper subset which is 
itself a diagnosis, we call it a Minimal Diagnosis. 

Definition 1 (Reiter 87). A Diagnosis of {SD, COMP, OBS) is a set Zi C COMP, such 
that SD U OBS U {Mode(c,Ab)\c G COMP] U {^Mode(c,Ab)\c G COMP - A] is 
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consistent. A is called a Minimal Diagnosis, iff it is the minimal set (wrt. C) with this 
property. 

Minimal Diagnoses are a natural eoncept, because we do not want to assume that a 
component is faulty, unless this is necessary to explain the observed behavior. Sinee the 
set of minimal diagnoses can be still quite large and the ultimate goal is to identify a 
single diagnosis, stronger minimality eriteria are used whieh allow stronger diserimina- 
tion among the diagnoses. The most frequently used eoncepts are Minimal Cardinality 
Diagnosis and Most Probable Diagnosis. In addition to these stronger definitions of di- 
agnosis the agents can use measurements to discriminate among eompeting diagnoses. 
For our distributed diagnosis framework we assume that every agent has identified a 
single diagnosis for its subsystem. 

2.2 Properties of Spatial Distribution 

Spatial distribution is a natural organization seheme for the distributed diagnosis of 
large technical systems like eommunieation networks. With eaeh agent we assoeiate a 
certain area of the system, for whieh it is responsible. Consider a large distributed sys- 
tem, e.g. a eommunieation network, which is divided into a set of spatially distributed 
subsystems (subnets), as shown in figure 1 . Eaeh square in the grid is a subsystem and 
has a diagnostic agent associated with it. 



A1 A2 A3 




Fig. 1. A communication network 



What could be the system view of agent Ai 1 Of course, it has detailed knowledge 
about its own subsystem (provided by the control component). For components in its 
own subsystem the agent himself is responsible and its diagnoses are reliable. Since it 
does not share its local observations and measurements with other agents (exeept for 
speeialized information used during cooperation) it is the only agent, whieh can com- 
pute detailed diagnosis of its subsystem. In the deeentralized structure of this network, 
the maehine C 2 must have at least some routing information. It has to know that there 
are two adjacent subnets N 2 and Nq, to which it can send information. More generally 
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we assume that each agent has some information on the neighboring subsystems, i.e. 
the subsystems directly connected to its own in the system structure. 

Now we will describe this view by means of abstractions and simplifications: An 
agent A, knows only the name of each neighboring subnet Nj (and perhaps a name 
of a server within Nj) but not Nj's internal structure. When A, diagnoses an error in- 
volving subnet Nj (e.g. a lost message routed via Nj), then the diagnosis will contain 
Mode{Nj,Ab). The abstract literal Mode{Nj ,Ab) implicitly implies that some partic- 
ular component within Nj is faulty. In general, an agent A, has an abstract model of 
the neighboring subsystems. Furthermore, A, only knows that Nj is the first subnet 
on the route to the destination of the lost message. It is a simplifying assumption, that 
Nj is the only subnet involved in the transmission. Stated more generally, an agent A, 
initially uses the simplifying assumption that all errors it cannot explain are caused by 
its immediate neighbors. We will see, how he can get more detailed information during 
the cooperation process. 

2.3 Formalization 

The subsystems and also the components within each subsystem have standard names. 
A predicate Area-Component denotes that component c is situated within area a of 
the system. We call the extension of this predicate for a given system the Component 
Hierarchy. 

Definition 2 (Component Hierarchy.). The Component Hierarchy CH for a distrib- 
uted system is a set of facts for the predicate Area-Component. 

Example 3. For our communication network we have 

CH : {Area -Component( Ni , Cl) , Area -Component(Ni , C 2 ) , ■ . .} 

Using the predicate Area -Component, we can formulate a consistency condition 
between the abstract subsystem-level and the detailed component level. We define the 
consistency of abstractions axiom: 

Definition 4 (Consistency of Abstractions.). The axiom 

CA : Vc. ((Mode(c,Ab) A 3d.Area-Component(c, d)) 
3e.(Area-Component(c,e) A Mode(e,Ab))) 

requires, that each abnormality of an abstract component is caused by an abnormality 
of one of its subcomponents. 

The axiom Disjointness of Modes states that a component can only be in one behav- 
ioral mode and is expressed by the following axiom: 

Definition 5 (Disjointness of Modes.). 

DM '. \fc.\fmi.\fm 2 .(Mode(c,mi) A Mode{c,m 2 )) m\ = m 2 
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2.4 Diagnosis by Cooperation 

Each diagnostic agent knows only a small part of the entire system. It can compute 
diagnoses independently, because it maintains a set of assumptions concerning the other 
parts of the system. In this paper, we will assume that all locally computed diagnoses are 
considered as reliable. The bargain from distributed diagnosis is that a lot of problems 
can be solved locally so that the simplifying assumptions hold. The cooperation process 
is necessary when an agent cannot detect a faulty component within its subsystem. In 
this case, it starts a cooperation process: 

Definition 6 (Need for Cooperation). Given observations OBS, a component hierar- 
chy CH, the axiom of consistency of abstractions CA, and a system description SD such 
that CH,CA e SD. If A, believes that it is not abnormal, but a neighbour is , i.e. 

5Z)at, U OBS 1= ^Mode{Ni, Ab) and SD n, U OBSU {Mode{Nj, Ab)} ^ _L 

then there is a need for cooperation to determine a global diagnosis and Nj is a 
possible partner for cooperation. 

Example 7. In the example of the communication network the observation of a lost 
message (let us assume an unreliable protocol such as UDP) means that it was 
lost somewhere on the way from sender to recipient. But of course the agents 
know only their own subnet in detail and have an abstract view of the neighbor- 
ing subnets. The predicate Message-Lost represents a reported loss of a datagram. 
Message -Lost{Ni,C'j) means that a lost message has been reported which was sent 
from network N\ to a node Gy. When agent A, transmits a message via a neighbor- 
ing subnet Nj and the message is lost, A, will assume that it was lost in Nj since this 
is the only point on the route it knows. We can formalize this simplifying assumption 
explicitly by introducing a predicate On -Route. 

CLM : Message -Lost(Sender, Recipient) 

3n. (On -Route(Sender, Recipient, n) A Mode(n,Ab)) 

is called Existence of a Cause for a Lost Message. 

Initially, each agent A, knows the following facts about On -Route, if is the 
routing table entry of Recipient f.\ 

RT : On -Route(Ni, Recipient^, Ni) OnJioute(Ni, Recipient^, 

On-Route(Ni,Recipient 2 , Ni) On-Route(Ni, Recipient 2 , N^^). . . 

Now assume a message gets lost from Ni to Gy, i.e. Message -Lost{Ni,Cy) and 
the agent Ai determines that it is not its fault, i.e. ^Mode(Ni , Ab) holds. Then Ai 
computes a local diagnosis Mode(N 2 , Ab) and thus there is a need for cooperation in 
order to obtain a global solution. 

A cooperation process is started by sending/receiving an observation. With the new 
observation the agent computes diagnoses which can lead to three different situations. 
First, it might turn out that it is abnormal itself. Then other solutions can be neglected 
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since we assume that the agents have certain knowledge about their own state. Second, 
there are no diagnoses at all which means that the initial fault is intermittent. Third, 
there is a need for cooperation. Then the agent refines the received observation and 
sends it to the neighbor waiting for its reply. In any of the cases the requesting agent is 
informed of the final result. 

Definition 8 (Diagnosis by Cooperation). Given an agent Ai which receives a mes- 
sage from agent A 2 with an observation OBS such that SDa^ U OBS j= _L then there 
are three cases: 

1. SDai U OBS U {Mode{Ni , Ab)} ^ _L, i.e. the agent's own subsystem is faulty 

2. there are no D such that SDa^ U OBS U ^ _L, then there must have been an 
intermittent failure 

3. there is a need for cooperation (see definition 6) and the observation is refined and 
sent to another agent which is then in charge of providing a diagnosis result 

The diagnosis result is sent to A^. 

Example 9. Assume A\ receives by a subcomponent the message that a message is lost 
from N\ to G7 and N\ not being abnormal. A diagnosis of A\ is that A^ is abnormal 
and thus there is a need for cooperation. The initial ohsewsAon Message -Lost{Ni , G7) 
is refined as follows: 

RO : Message Aost(Sender, Recipient) A -<Mode(Sender,Ab)A 
OnJloute(Sender, Recipient, Next lender) 
NewJdessageAost{NextJSender, Recipient) 

The new observation is sent to A 2 . Since 02 is not abnormal this agent asks A 3 for 
help. A 3 is faulty and replies that it is responsible. A 2 passes this result to Ai . The 
union of all system descriptions involved is consistent with the final diagnosis of A 3 . 

Now we can define distributed diagnosis. A diagnosis for the union of all system 
descriptions is called distributed diagnosis: 

Definition 10 (Distributed Diagnosis). A Distributed Diagnosis of 
{{SDa^,- ■ -SDa„}, COMP, OBS) is a set Zi C COMP, such that SDa^ U ... U 
SDa„ U OBS U {Mode(c,Ab)\c G COMP} U {^Mode(c,Ab)\c G COMP - A} is 
consistent. 

Example 11. {Mode{N 3 , Ah),Mode{C'j , Ah)} is a distributed diagnosis for the system 
description and observations in the above example. 

In order to implement the scenario above we need separate diagnostic agents for 
each area. The agents need a knowledge base containing the description of their area 
and they have to be capable of reactive behavior in order to solve a problem in co- 
operation with other agents. The theoretical basis of the implementation is the con- 
cept of vivid agents [Wag96b] and a prototype developed for fault-tolerant diagnosis 
[SdAMP96,SW96]. Below we briefly review the vivid agents and extended logic pro- 
gramming. We proceed by showing how the axioms can be expressed as extended logic 
program and how the agents' reactive behavior is coded in terms of reaction rules. We 
round out the picture with a trace of the agents' communication after a message is lost. 
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3 Vivid Agents 

A vivid agent is a software-controlled system whose state is represented by a knowl- 
edge base, and whose behavior is represented by means of action and reaction rules. 
Following [Sho93], the state of an agent is described in terms of mental qualities, such 
as beliefs and intentions. The basic functionality of a vivid agent comprises a knowl- 
edge system (including an update and an inference operation), and the capability to 
represent and perform actions in order to be able to generate and execute plans. Since a 
vivid agent is situated' in an environment with which it has to be able to communicate, 
it also needs the ability to react in response to perception events, and in response to 
communication events created by the communication acts of other agents. Notice that 
the concept of vivid agents is based on the important distinction between action and re- 
action: actions are first planned and then executed in order to solve a task or to achieve 
a goal, while reactions are triggered by perception and communication events. Reac- 
tions may be immediate and independent from the current knowledge state of the agent 
but they may also depend on the result of deliberation. In any case, they are triggered 
by events which are not controlled by the agent. A vivid agent without the capability 
to accept explicit tasks and to solve them by means of planning and plan execution is 
called reagent. The tasks of reagents cannot be assigned in the form of explicit ('see to 
it that' ) goals at run time, but have to be encoded in the specification of their reactive 
behavior at design time. 

We do not assume a fixed formal language and a fixed logical system for the 
knowledge-base of an agent. Rather, we believe that it is more appropriate to choose 
a suitable knowledge system for each agent individually according to its domain and its 
tasks. In fhe case of diagnosis agenfs, extended logic programs proved to be an appro- 
priate form of the knowledge base of an agent because it is essential for model-based 
diagnosis to be able to represent negative facts, default rules and constraints. 

3.1 Specification and Execution of Reagents 

Simple vivid agents whose mental state comprises only beliefs, and whose behavior is 
purely reactive, i.e. not based on any form of planning and plan execution, are called 
reagents. A reagent A = {X, EQ, RR), on the basis of a knowledge system K consists 
of 

1. a knowledge base A e Tkb, 

2. an event queue EQ being a list of instantiated event expressions, and 

3. a set RR of reaction rules, consisting of epistemic and physical reaction and inter- 
action rules which code the reactive and communicative behavior of the agent. 

A multi-reagent system is a tuple of reagents S = {A \ , . . . , A„) 

Operational Semantics of Reaction Rules Reaction rules encode the behavior of vivid 
agents in response to perception events created by the agent' s perception subsystems, 
and to communication events created by communication acts of other agents. We distin- 
guish between epistemic, physical and communicative reaction rules, and call the latter 
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interaction rules. We use ipEvt and I/CEvt to denote the perception and communica- 
tion event languages, and I/Evt = i'PEvt U icEvt- The following table describes the 
different formats of epistemic, physical and communicative reaction rules: 

Eff-(r- recvMsg[e([/), 5], Cond 
do(a;(y)), Eff •<— recvMsg[e([/), 5], Cond 
sendMsg[r?(y), i?], Ejf •<— recvMsg[e([/), 5], Cond 

The event condition recvMsg[e([/) , S] is a test whether the event queue of the agent 
contains a message of the form s{U) sent by some perception subsystem of the agent 
or by another agent identified by S, where e € I/Evt represents a perception or a com- 
munication event type, and U is a suitable list of parameters. The epistemic condi- 
tion Cond e T/Query refers to the current knowledge state, and the epistemic effect 
Ejf e T/input specifies an update of the current knowledge state. 

Physical Reaction: do(a;(y)) calls a procedure realizing the action a with parameters 

y. 

Communicative Reaction: sendMsg[r?(y), i?] sends the message rj € TcEvt with pa- 
rameters V to the receiver R. 

Both perception and communication events are represented by incoming messages. In 
general, reactions are based both on perception and on knowledge. Immediate reactions 
do not allow for deliberation. They are represented by rules with an empty epistemic 
premise, i.e. Cond = true. Timely reactions can be achieved by guaranteeing fast 
response times for checking the precondition of a reaction rule. This will be the case, 
for instance, if the precondition can be cheeked by simple table look-up (such as in 
relational databases or fact bases). 

Reaction rules are triggered by events. The agent interpreter continually checks the 
event queue of the agent. If there is a new event message, it is matched with the event 
condition of all reaction rules, and the epistemic conditions of those rules matching 
the event are evaluated. If they are satisfiable in the current knowledge base, all free 
variables in the rules are instantiated accordingly resulting in a set of triggered aetions 
with associated epistemic effects. All these actions are then executed, leading to phys- 
ical actions and to sending messages to other agents, and their epistemic effects are 
assimilated into the current knowledge base. 

4 Extended Logic Programming and Diagnosis 

Since Prolog became a standard in logic programming much research has been devoted 
to the semantics of logic programs. In particular, Prolog's unsatisfactory treatment of 
negation as finite failure led to many innovations. Well-founded semantics turned out to 
be a promising approach to cope with negation by default. Subsequent work extended 
well-founded semantics with a form of explicit negation and constraints [AP96] and 
showed that the richer language, called WFSX, is appropriate for a spate of knowl- 
edge representation and reasoning forms. In particular, the technique of contradiction 
removal of extended logic programs opens up many avenues in model-based diagnosis. 
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Definition 12 (Extended Logic Program). An extended logic program is a (possibly 
infinite) set of rules of the form 

Lq Li,... ,Lm,notLm+i, ■ ■ - ,notLn (0 < m < n) 

where each L, is an objective literal (0 < i < n). An objective literal is either an atom 
A or its explicit negation -lA.* Literals of the form notL are called default literals. 
Literals are either objective or default ones. 

To capture that it is contradictory for the predicted behavior to differ from the actual 
observations, we introduce integrity constraints: 

Definition 13 (Constraint). An integrity constraint has the form 

_L •<— Li, . . . , Lm,notLm+i, ■ ■ ■ ,notLn (0 < m < n) 

where each L, is an objective literal (0 < i < n), and _L stands for false. 

In order to avoid a contradiction we change the beliefs that support the contradic- 
tion. The only beliefs that are subject to change concern the closed world assumption 
ones. From these we can define a set of revisable default literals, whose truth values 
may be changed to remove contradictions. 

Definition 14 (Revisable). The revisables i? of a program P are a subset of the default 
negated literals which do not have rules in P. 

In general, we might remove a contradiction by partially dropping the closed world 
assumption about some revisable. To declaratively define the contradiction removal, we 
consider all subsets R' of the revisables, change the truth value of the literals in R' from 
false to true and check whether the revised program is still contradictory. Among those 
revisions that remove the contradiction we are interested in the minimal ones: 

Definition 15 (Revision). Let R be the revisables of the program P. The set R' C R 
is called a revision if it is a minimal set such that P U i?' is free of contradiction. 

The revision of contradictory extended logic programs is a suitable technique to 
compute diagnoses for model-based diagnosis. 



4.1 The Agents Knowledge Base 

Using the extended logic programming formalism, the agents knowledge base contains 
the following logic sentences: 

' Note that explicit and implicit negation are related: ->L implies not L. 
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Routing tables The routing information comprises facts stating to which neighbor node 
a message addressed to a component has to be sent. The knowledge is local since each 
agent only knows its neighbors. In order to keep the facts in a single knowledge base 
which is the same for all agents the facts hold only for the respective agent For 

example, for m and ri2 we get the following routing tables: 



RT : onjroute{ni,C2,,n2) ijam{ni). 
onjroute{ni,cn,n2) ijam(ni). 
onjroute{ni,c^,n2) ijam(ni). 
onjroute{ni,CQ,n2) ijam(ni). 
onjroute{ni,c-T,n2) ijam(ni). 
onjroute{ni,cs,ne) ijam{ni). 
onjroute{ni,CQ,n2) ijam(ni). 
onjroute{ni,cio,n2) ijam(ni) 



onjroute{n2,ci,ni) •«— ijam{n2)- 
on.route{n2,C2,ni) •«— i.am{n 2 )- 
onjroute{n2,c^,n2,) •«— i.am{n2)- 
on.route{n2,CQ,n2,) •«— i.am{n 2 )- 
on.route{n2,C7,ns) •«— i.am{n 2 )- 
onjroute{n2,cs,ni) •«— ijam{n2)- 
onjroute{n2,CQ,ri7,) •«— ijam{n2)- 
onjroute{n2,cio,ri7,) •«— i.am{n2) 



Component Hierarchy Additionally, each agent knows its components. Since this 
knowledge is local it is only derivable for the respective agent 

CH : areajoomponent{ni,ci) •«— i-am{ni). area-Component{ns,cC) ijam{nz). 
areajcomponent{ni,C2) i-am{ni). area -component (713,07) •«— i-am(n3). 
ar ea -Component (n2,C3) •«— i-am(n2). areajcomponent{ne,cs) •«— i-am(ne)- 
ar ea -Component (n2, 04) •«— i-am(n2). areajcomponent{n7,,cg) •«— i-am(ns)- 
ar ea -Component (ns, Cfi) •«— i-am(n3). area-component(ni,cio) •«— ijam(ni). 

Disjointness of Modes In the implementation we model only two modes, abnormality 
(ah) and being ok (not ah). Therefore disjointness of modes is satisfied. The predicate 
ah is revisable. The default truth value of the predicate ah is false, which means that 
by default we assume components to be working fine. Possible contradictions to these 
assumption are caused by violation of consistency of abstraction and existence of a 
cause for a lost message. 



Consistency of Abstraction An abnormal area contains at least one abnormal compo- 
nent. A contradiction arises if the area is detected to be abnormal but no faulty compo- 
nent is abduced. This constraint has only local character (i-am), since an agent cannot 
detect abnormal components of other areas. 

CA : _L •<— i-am(N),ab(N),not has-ab-Component(N). 

has-ab-Component(N) <r- area-Component(N ,C),ah(C). 

Existence of a cause for a lost message The basic integrity constraint to start the di- 
agnostic process states that it is contradictory to observe a lost message from node N 
to component C and not to have lost it on the route from N to C . The message is lost 
somewhere on this route route if at least one the involved nodes is abnormal: 

CLM : _L •<— message Jost(N,C), not lost-on-route(N,C). 
lost-cni-route(N ,C) •<— ah(N). 
lost-cni-route(N ,C) •<— cni-route(N,C,M),ah(M). 
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The following constraint allows us to abduce new observations. If a message is lost 
from N to C and M is a neighbor of N which is assumed to be abnormal by N, then 
N abduces the new observation that the message was lost on the way from M to C: 

RO : _L -t— messageJost{N,C),orijroute{N,C, M), 
ab(M) , not new .message Jost(M , C). 

4.2 The Agents' Reaction Rules 

The reaction rules specify how the agents behave. Since the behavior depends on their 
diagnostic findings they need meta predicates to revise their knowledge base in the light 
of new observations. Based on the revisions three results are interesting 

1 . There is no diagnosis to explain the observation (no.diags). 

2. There is a diagnosis that the agent itself is abnormal. In this case, since an agent 
knows its own state, other diagnoses are not of interest. 

3. There are diagnoses which do not involve the agent itself (next). In this case the 
agent abduces a new, refined observation. 

With the two meta predicates no.diags and nextj2 we encode the agents' reac- 
tion rules: 

If an agent receives an observation and has no explanation for it, the fault must be 
intermittent, since neither the agent itself is faulty nor are any neighbors to accuse. This 
is reported to the requesting agent: 

sendMsg{intermittent.failure{B),A) i — rec\/Msg{messageJost{N, C),A), 

no.diaqs(messaqelost(N , C)), 
Def.&.2 i.am{B). 

If an agent receives an observation and is himself the cause of the problems it reports 
this fact back to the requesting agent: 

sendy\sg{respcnisihle{B),A) i — rec\iMsg{messageJost{N ,C),A), 
Def.^A ijim(B),obs(down, B). 

If the agents area is not abnormal and there are diagnoses suspecting the agents 
neighbors, the newly abduced observation is sent to the suspected neighbor: 

sendMsg{messageJost{M,C),M) i — rec\/Msg{messageJost{N,C),A), 

i.am(B),not obs(down, B), 

Def. 8.3 next{M, message Jost(N, C)). 

In this case the agent has to remember to forward the final diagnosis result to the 
requesting agent: 

remember .to.reply.to{A) i — rec\/Msg(messageJost(N,C), A), 

N ^ A,i.am(B),not obs(down, B), 
notno.diags{messagelost{N , C)). 
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If an agent receives a diagnosis result from one of its neighbors and has to report 
the result to another neighbor, it forwards it: 

sendMsg(intermittent-failure(A),C) < — recvMsg(intermittent.failure(A), B), 

remember Jojreply Jo(C) . 

sendMsg{r esponsible{A),C) i — rec\/Msg{responsible{A) , B) , 

remember Jojreply Jo(C) . 

After forwarding a diagnosis result, the “bookmark” to reply is removed from the 
agent's knowledge base: 

neg(remember Jojreply Jo(C)) < — recvMsg(intermittent.failure(A),B), 

remember Jojreply Jo{C) . 

neg(remember Jojreply Jo(C)) < — recvMsg(respcmsible(A), B), 

remember Jojreply Jo{C) . 



4.3 Traces 

To make the diagnosis process using the described knowledge base clearer, we consider 
the following scenario. Node rii sends a message to cy, but the messages gets lost. 
Since rii does not receive an acknowledgment, a timeout mechanism informs rii that 
the message is lost and the diagnosis process starts. In the first scenario ns looses the 
message, whereas in the second one an intermittent failure occured. 

Initially the creator process sends a start message to all nodes (see figure 2 lines 
1,2,3,4,9,14). The timeout mechanism informs rii of the lost message (5,6). Node rii 
knows that it is working fine and suspects the neighbor in charge of sending messages 
to cy, namely ns. Subsequently m sends the refined observation that the message is 
lost from ri 2 to cy to ns (8,10). Similarly ns informs ns (11,12,15). Additionally it 
remembers that it has to report the final result to rii (13). Finally, ns turns out to be the 
cause of the fault and the result is sent from ns tons (16,1 7) and from ri 2 to rii (18,19). 
ns removes the fact that it has to respond to rii (20). 

In the second trace (see figure 3) all nodes are ok at diagnosis time so the fault is 
intermittent. The initial phase is similar to the first trace. Only when ns comes up with 
no diagnoses (16), message of an intermittent failure is sent back. 

5 Conclusion 

We have defined an agent-based framework for the diagnosis of large spatially dis- 
tributed technical systems. In this framework we assign an agent to every subsystem. 
This agent has detailed knowledge over its own subsystem and abstract knowledge over 
its neighbors. Using its declarative system description it can usually diagnose its own 
subsystem independently. Whenever it cannot detect a cause for an observed fault, it ac- 
cuses a suitable neighboring subnet and starts cooperation with the responsible agent. 
This distributed framework leads to attractive algorithm complexity compared to a cen- 
tralized solution, both concerning communication overhead and computational com- 
plexity. 
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Our implementation is based on the concepts of vivid agents and extended logic 
programming. The system description as well as the axioms needed for distributed di- 
agnosis are formulated as extended logic programs. Reaction rules allow the flexible 
implementation of the communication among the agents, so that the cooperation can be 
tailored to all kinds of applications. 
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Abstract. In this paper, we propose a new way of considering reasoning 
abont action and change. Rather than placing a preferential strnctnre 
onto the models of logical theories, we place such a structure directly on 
the semantics of the actions involved. In this way, we obtain a preferential 
semantics of actions by means of which we can not only deal with several 
of the traditional problems in this area such as the frame and ramification 
problems, bnt can generalize these solntions to a context which includes 
both nondeterministic and concurrent actions. In fact, the net result 
is an integration of semantical and verificational techniques from the 
paradigm of imperative and concurrent programs in particular, as known 
from traditional programming, with the AI perspective. In this paper, 
the main focus is on semantical (i.e. model theoretical) issues rather 
than providing a logical calculus, which would be the next step in the 
endeavor. 



1 Introduction 

Reasoning about action and change has long been of special interest to AI and 
issues of knowledge representation (see [15]). In particular, the issue of repre- 
senting changes caused by actions in an efficient and economic way without the 
burden of explicitly specifying what is not affected by the actions involved and is 
left unchanged has been a major issue in this area, since typically this specifica- 
tion is huge and in some cases a priori not completely known. In a similar vein, 
one would also like to avoid explicitly stating all qualifications to actions and all 
secondary effects of actions. Most of the proposed solutions impose a so-called 
law of inertia on changes caused by actions which states that properties in the 
world tend to remain the same when actions occur unless this is known to be 
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otherwise. Formally, the inertia assumption in AI has been treated as some kind 
of default reasoning which in turn has triggered a host of theories about this 
specific application and defeasible and nonmonotonic theories in general. 

The problem that tends to arise with many of the proposed solutions is that 
application of the inertia assumption is generally too global, or coarse, resulting 
in unwanted or unintended side effects. One would like to invoke a more local or 
fine-grained application of inertia to the scenarios at hand and recent proposals 
tend to support this claim. One explanation for this coarseness is that typically 
one represents an action theory as a set of axioms and then considers a subclass of 
the models, the preferred models, as the theories intended meaning. This means 
that the effects of actions are represented or obtained in a slightly roundabout 
way: the action theory contains axioms from which the behavior of the actions 
can be deduced using the preferred models of these axioms which somehow 
have to capture or respect the law of inertia concerning these actions. In simple 
situations, this approach works fine, but it is well known that in more complex 
situations finding the right kinds of preferences on one’s models is not only very 
difficult, but even claimed not to be possible. 

Our claim is that this is due to the fact that the instrument of considering 
preferred models of theories that describe complete action scenarios is too coarse 
because of the fact that these models employ preference relations that stem 
from ‘global’ and not action-specific frame assumptions. The specification of 
preferred outcomes of actions is a delicate matter depending on the actions (and 
the environment) at hand, and should be handled at the action semantics level 
rather than the global logical theory describing the whole system. So, what we 
will do in this paper is to put preferences at the place they should be put, viz. 
the semantics of actions. On this level we can more succinctly fine-tune these 
preferences incorporating the mode of inertia that is needed for a particular 
action given a particular context (environment). For each action occurring in 
a scenario one can thus state the way the variables are known/expected to be 
affected: are they distinctly ‘set’ by the action to certain values, are they expected 
to be not affected, or do we know nothing about this at all, so that anything could 
happen with them? ^From this information one can deduce both the possible and 
the expected behaviour of actions in a scenario, which can be reasoned about in 
an action logic like dynamic logic ([7]). ^ 

We call this way of assigning meaning to actions preferential action seman- 
tics, which may be contrasted with traditional preferential semantics, which in 
contrast can be referred to as preferential theory (or assertion) semantics. Our 
claim is that preferential action semantics provides us with a flexible framework 
in which the subtleties of the (expected) behaviour of actions can be expressed 
and handled in a straightforward and adequate manner. In this paper we will 
support this claim with some interesting examples which require such subtlety 
in representation. Interestingly, but very naturally, this view will lead us very 

^ To be fair, of course, it might be the case that this action-specific treatment can 
be encoded into one global preference relation in traditional preferential (theory) 
semantics, but this will inevitably lead to cumbersome and very intricate models. 
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close to what is studied in the area of so-called concurrency semantics, i.e. that 
area of computer science where models of concurrent or parallel computations 
are investigated. We see for instance that in this framework proposals from the 
AI literature dealing with action and change which use constructs such as occlu- 
sion/release ([3], [13], [8]) get a natural interpretation with respect to the aspect 
of concurrency. 

Finally, in this introduction, we want to discuss the following possible objec- 
tion to our approach of coping with the frame problem. One might think that 
our solution is not a solution to the frame problem at all, since the above might 
give the impression that one has to specify exactly what happens for each action. 
However, this is not exactly true. The only thing that has to be specified for each 
action is to which class the variables involved belong: definitely set, framed (i.e. 
expected to remain the same) or completely free. The semantics decides then 
the rest. In fact, this also holds for preferential assertion semantics, where vari- 
ables must also be classified with respect to their “mode of affectedness”. It is 
well-known by now, that this is really needed; one cannot expect to devise some 
kind of ‘magical’ preference relation to work in all cases without this kind of 
information about the variables involved. Hard things cannot be expected to be 
obtained for free! The only difference is that in preferential action semantics this 
needs to(or rather, put more positively, may) be done on the level of an individ- 
ual action. Our point is that specifying these things at a global level might be 
too much to ask from a (global, assertion-based) preferential entailment relation, 
which is then supposed to supply the ‘right’ outcomes in complicated situations, 
in one blow, so to speak. 



2 Preferential Semantics of Actions 

In this section, we define a very simple language of actions^ with which we illus- 
trate our ideas on preferential semantics of actions. Of course, for representing 
real systems this simple language should be extended, but the current simplifi- 
cation will give the general idea. 

We start with the set TVATZ of feature variables and TV AC of feature values. 
Elements of TV AC are typically denoted by the letter d, possibly marked or 
subscripted.^ Next, we define a system state ct as a function of feature variables 
to features values: a : TVATZ TV AC. So, for x € TVAR-, a{x) yields it value. 
The set of states is denoted by S. To denote changes of states we require the 
concept of a variant of a state. The state a{d/x} is defined as the state such 
that a{d/x}{x) = d and a{d/x}{y) = a{y) for y ^ x. 

Let a set A of atomic actions be fixed. An atomic action a & A comes 
with a signature indicating what variables are framed, which of these may nev- 
ertheless vary (are released from inertia) and which are definitely set: a = 

^ Actually, these are action expressions/descriptions rather than actions, but we will 
use the term rather loosely here. 

® For convenience, we will assume that all feature variables range over the same set of 
feature values, mostly the booleans, but of course this restriction can be lifted. 
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a(seta, framea, releasea), where seta, framea, releasea C TVATZ, such that 
releasea C framea and setaHframea = 0 . We also define inerta = framea \ releasea 
and vara = TVATZ \ (seta U framea).^ The inert variables are those subject to 
inertia, so that it is preferred that they retain the same value; the var variables 
are those not subjected to inertia and are really variables in the true sense of the 
word. The distinction between var and released variables is a subtle one: typ- 
ically when describing an action scenario some of the framed variables (which 
are normally subject to inertia) are temporarily released, while some variables 
are considered truly variable over the whole scenario. Sandewall [ 14 ] describes 
the three classes of frame-released, frame-unreleased (inert), and var variables as 
occluded, remanent, and dependent. Kartha and Lifschitz [ 8 ] were probably the 
first to recognize this three-tiered distinction, while Sandewall [ 12 ] was the first 
to use the frame/occluded distinction to deal properly with nondeterministic 
actions and actions with duration. 

Given the set of atomic actions, complex actions can be formed as follows: 

a = a \ if b then a\ else 0:2 fi | cti © 02 | oi + 02 | cti || 02 | fail. 

Here, a G A; if b then ai else 0:2 fi , where 6 is a boolean test on feature variables, 
represents a conditional action with the obvious meaning; oi 0 «2 stands for 
restricted choice between actions ai and 02, where the release mechanism is 
applied to the actions ai and «2 separately; ai+a2 stands for an open or liberal 
choice between ai and a2, where the release mechanism induced by the two 
actions «i and «2 is employed for ai and «2 in a joint fashion (to be explained 
later on); q:i|1q: 2 stands for the parallel (simultaneous) performance of both a\ 
and 02; fail denotes the failing action, possessing no successor states. The class 
of all actions is denoted by Act. We now introduce the class of preferred actions 
(or rather the class of preferred behaviors of actions) denoted by VrefAct = 
{ajj I a G Act}, where aj expresses the pre/erred behavior of a.® 

The formal semantics of actions is given by functions which essentially de- 
scribe the way actions change states. We define a semantical function [•] : Act — > 
S ( 2 ^ X 2 ^) for a G Act, a G S. [a](cr) denotes the set of states that com- 
putation of action a may result in, together with information about which of 
these states are preferred (or expected). So, [a](cr) = {S, S'), where S' C S C S, 
and S' are the preferred (expected) outcome states of a. If [o;](cr) = {S, S'), we 
refer to S and S' by means of ([a](cr))b (or [a]b((j)) and ([a](cr))ij (or [a]|j((j)), 
respectively. If S' = S, this means that there is no preferred strict subset. In 
this case, we will just write [a](cr) = S. 

We allow placing constraints on the set of states, so that effectively, the 
function [•] is constrained: [•] : Act ^ ( 2 ^ x 2 ^ ), where S4, = {a G S \ 

^ When it is convenient, we may also specify the inert and var variables in an action, 
snch as e.g. a = a(seta, inerta, varo). 

® Note that it is senseless to talk about (qj)j. This is not allowed by the syntax. We 
leave the question to future research whether nestings of preference regarding action 
behavior can be useful in some way. 

® Constraints will be used to treat the ramification problem in a later section. 
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We are now ready to define the semantics for atomic and complex actions in 
terms of the functions described above. 



Atomic Actions 

For atomic action a = a{seta, framCa, releasCa), we define its semantics as fol- 
lows. First, we determine the effect of a on the variables in seta. We assume 
that this is deterministic; let us denote the (unique) state yielded by this effect 
by (Ta. We may e.g. write seta = {+a^j —y} when we want to express that x is 
set to true and y is set to false. For instance, if <t is a state containing boolean 
information about the feature I (“the gun is loaded or not”), and a is the action 
load(setioad = {+^})> then (Jioad = representing that the load action sets 

the variable I to true. 

[a(seta, framea, releasea)](cr) = {S,S') 

where (supposing framea = {a^i, X 2 , ■ ■ ■ , Xm}, releasea = {a^i, X 2 , ■ ■ ■, Xn} Q 
framea, so n < m, and vara = {yi,y 2 , ■ ■ ■ ,yk} ): 

S = {(Ta{di/Xi,d2/X2, ■ . .,dmlXm,d[/yi,d2ly2, ■ . .,dfc/j/fc} G 
\ di,d2, ■ ■ ■, dm, d[,d'2 , . . . , dfc G TVAC\ 

(= {a' G I a'{z) = Ga{z) for all 2 G seta}) 



and 



S' = {oa{d\lxx,d2lx2, ■ . .,dnlxn,d'ilyi,d'2ly2, ■ . .,d'fc/yfc| G 
I di,d2, ■ ■ - ,dn, d[, d' 2 , . . . , d} G TVAC\ 

(= {a' G I o-'(z) = (7a(z) for all 2 G seta U inertaj). 

Note that indeed S' C S {C E,p). 

Although the definition looks fairly complicated, it simply states formally 
that the usual semantics of an action o(seta, framCa, releasCa) consists of those 
states that apart from the definite effect of the action on the variables in seta, 
both var and frame variables may be set to any possible value, whereas the pre- 
ferred semantics (capturing inertia) keeps the inert variables the same, although 
the var and release variables are still allowed to vary. 

Let’s, by way of an example, consider the action load again, now also in 
a context where the variable a, denoting being alive, plays a role. (You see, 
we are heading towards the inevitable Yale Shooting.) Suppose that load = 
load(setioad = {-l-^}, frameioad = {a}, releaseioad = 0)- Let’s consider a state a 
in which a is true (I’m alive) and I is false (unloaded gun). Now the formal 
semantics of the load action in this state gives us: [load]((j) = {S, S') with S = 
{a{T/l, T/a}, a{T/l, F/a}} and S' = = {<T{r/^, T/a}}, which means 

that apart from setting I to true (the gun becomes loaded), it is possible that both 
one stays alive and one dies, but that the former is preferred (expected). If one 
now, for some reason, would release the variable a from the frame (assumption), 
the expectation that a remains true is dropped. 
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Complex Actions 

In the sequel, it will sometimes be convenient to use the notation a(seta 
= X, framec = Y, releasee = ^), or simply a(set = X, frame = Y, release = Z), 
or even a(set A, frame Y, released), for the action a(sete, framCe, releasCa), 
with seta = X, framCe = Y, and releasCa = Z. In addition, the set-theoretical 
operators are, when needed, extended to pairs in the obvious way: (S'ljS'J) • 

The conditional and fail actions are given the following meanings: 

[if b then a\ else ai h](a-) = [ai](a-) if 6 (<t) = T; and otherwise. 

[fail](a) = (0,0). 

Let’s now consider the choice operators. The difference between restricted 
and liberal choice is illustrated by the following example. Suppose we have the 
constraint that shower on (o) is equivalent to either a hot shower (h) or a cold 
shower (c), i.e. o ^ hV c. Let ho stand for the action of putting the hot shower 
on {h := T), and co for the action of putting the cold shower on {c := T). In the 
case where the restricted choice action ho 0 co is performed in a state where 
{ = A ^c) holds, we either choose to do ho in this state resulting in a state 
where h A o A^c holds (so inertia is applied to ^c), or co is chosen resulting in 
a state where c A o A ~^h holds (so inertia is applied to ~^h). In contrast, if the 
liberal choice action ho + co is performed in a state where ^o, we just look at 
the possibilities of doing ho, co, and possibly both, resulting in one of the states 
{ft- A o A ^c, ^ft A o A c, ft A o A c}. So one may view this as if every atom o, ft, or 
c is allowed to change value and is not subject to any inertia. 

The semantics of the restricted choice operator can be stated as follows. Let 
the function Constrain,^ be such that it removes all states that do not satisfy 
the constraints Constrain,i>(S') = (cr G S' | <t [= <ft}. When no confusion arises, 
we may omit the subscript 

[a(seta, framCa, releasCa) 0 P{setp, frame/?, release/?)] ( ct) = 
Constrain,i>([a(setQ, framea, releaseQ)](cr) U 
[/?(set/?, frame/?, release/?)]((r)). 

The definition states that the restricted choice between a and f3 regards the 
actions a and (3 more or less separately. In particular, the release mechanism 
works separately for both actions a and (3. 

The semantics of the liberal choice operator can be stated as follows. 

[a(setQ, framea, releasOa) 0 /3(set/?, frame/?, release/?)] ( ct) = 
Constrain,/>([a(setQ, frame = (framea U frame/? U set/?) \ seta, 
release = (releasea U release/? U set/?) \ seta)]((T)U 
[/?(set/?, frame = (framea U frame/? U seta) \ set/?, 
release = (releasea U release/? U seta) \ set/?)](<T)). 




Preferential Action Semantics 



193 



In this case, the situation for the liberal choice operator is considered much 
more uniformly in the sense that not only the set of frame variables is taken 
together, but also the release mechanism works in a much more uniform manner. 
For both actions the sets of release and set variables is added, so that inertia 
is less potent and more possibility of variability ( also with respect to preferred 
outcomes) is introduced by considering joint effects of the two actions a and f3. 

The semantics of the parallel operator can be stated as follows. 



[a(seta, framea, releasOa) || f3{set/s, frame^j, release/3)](<T) = 

Constrain,^ ([a(seta, frame = (framea U frame^j U set/j) \ seta, 
release = (release^ U release^? U set/?) \ setQ)]((j)n 
[/?(set/ 3 , frame = (framea U frame /3 U seta) \ set/j, 
release = (release^ U release^? U seta) \ set/ 3 )]((j)). 

Note the similarity with the liberal choice operator. In fact, the only thing 
that has changed with respect to the latter is that now only the joint effects of 
both actions are taken into consideration, where the release mechanism for both 
actions is again taken as liberal as possible allowing for as much interaction as 
possible. 

Finally, we consider the preferred behavior operator [|: 

[aj](cr) = ([a](cr))|i. 



Example. Let us consider the shower example again. The actions ho and 
CO can be described more precisely as ho(set{+ft-}, framejo, c}, releasejo}) and 
co(set{+c}, framejo, h}, releasejo}). Recall that we have o ^ hV c a,s a domain 
constraint (<?). Let a be such that a = {F/h, F/c, F/o}. Now, [(ho 0 co)jj]((r) 
becomes 



(Constrain,^ ([ho(set{0/i}, framejo, c}, release{o})]((r) U 
[co(set{0c}, framejo, h}, release{o})]((j)))ij = 

{a{T/h, F/c, T/o}, a{Fjh, T/c, T/o}}, while [(ho + cojj] = 
(Constrain,^ ([ho(set{0/i}, frame = release = {o, c})]((j) U 
[co(set {0c}, frame = release = (o, /i})](ct)))|| = 

{a{T/h, F/c, T/o}, a{F/h, T/c, T/o}, a{T/h, T/c, T/o}}, 

as expected. 

In addition, consider the action ft, || c in the same setting. Intuitively, one 
would expect that this action should have the effect of putting the shower on 
with both cold and hot water. |(ho || co)j] = (Constrain,i>([ho(set{0ft}, frame = 
release = { 0 , c})]((r)n [co(set{0c|, frame = release = (o, ft})]((r)))ij which is 
equivalent to {a{T /h,T /c,T /o}}, as desired. 
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Remark on Semantical Entities 

The observing reader may have noticed that in the above definitions we have 
abused our language slightly by mixing syntax and semantics. This is due to 
the fact that, although the signature of an action consisting of a specification of 
the set, framed and released variables has a very syntactic ring to it, it never- 
theless conveys semantical information. When one is more rigorous, one should 
consider semantical entities of the following type: sets of tuples of the form 
{S, S' , {set, frame, release)), where the S and S' with S' C S are sets of states 
(denoting the possible resulting states and the preferred subset of these, respec- 
tively), and set, frame and release are sets of variables expressing the status 
of the variables with respect to the sets S and S' . Of course, this information is 
implicit in the sets S and S' , but for the sake of defining the interpretation of 
the operators it is very convenient to have this information explicitly available in 
the denotations of results. Now we may define our operators on these enhanced 
semantical elements: on tuples they read as follows: 



(^i, S'l, {seti, framei, releasei)) 0 {S2, S'2, {set2, frame2, release2)) = 
{(S'!, S'l, {seti, framei, releasei)) , {S2, S'2, {set2, frame2, release2))} 



{Si, S'l, {seti, framei, releasei)) + {S2, S'2, {set2, frame2, release2)) = 

{(S'l, S'l, {seti, {framei U frame2 U set2) 
\seti, releasei U release2 U set2) \ seti), 
{S2, S'2, {set2, {framei U frame2 U seti) \ 
set2, releasei U release2 U seti) \ set2)} 



{Si, S'l, {seti, framei, releasei)) || {S2, S'2, {set2, frame2,release2)) = 

|(Si n S2, S'l n S'2, (seti U set2, {framei U frame2) \ (seti U set2), 

{releasei U release2) \ (seti U set2))} 

Finally, we extend the definition to sets of tuples Ti and T2 in the obvious 
way: T1AT2 = UiieTi t2GT2 AAt2 for A = 0 , 0 , ||. This shows how one can do 
the previous definitions more formally. However, we have chosen not to do this 
in the remainder of the paper in order to keep things more intelligible, and to 
focus on the main ideas. 

3 Preferential Action Dynamic Logic (PADL) 

In order to define a logic for reasoning about actions which includes their pre- 
ferred interpretations, we simply take the (ordinary) dynamic logic formalism 
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which is well known from the theory of imperative programming ([7]). Formulas 
in the class Torm are of the form [a\4>, where a G Act U VrefAct, (j> G tForm, 
closed under the usual classical connectives. 

The semantics of formulas is given by the usual Kripke-style semantics. A 
Kripke model is a structure M = {S,{Ra \ a G Act U VrefAct}), where the 
accessibility relations Ra are given by Ra{a, a') <J4>def A G [a]b(cr). 

Formulas of the form [a\(j) are now interpreted as usual: M,a ^ 
for all a' : Ra{cr,a') M,a' ^ (f. The other connectives are dealt with as 
usual. Note the special case involving formulas with preferred actions where 
[af\(j) is interpreted as: M,a \= [af\(j) ( for all a' : Ra ^ M, a' ^ (j)) 

( for all a' \ a' G [att](cr) ^ M, a' \= f)) ^ { for all a' \ a' G ([a](CT))ji 
M,a' ^ (f). Validity in a model, M \= f), is defined as M,a ^ 4> for all a. 
Validity of a formula, \= (j), is defined as M \= (f> for all models M. 

Some useful validities (here we assume the set of constraints to be finite and 
abuse our language slightly and let stand for the conjunction of its elements 
as well): 

h H(^ ^ V’) ^ {[(Af) [AA 

^ [if b then ai else 02 ^ (A ^ [o^i]'/’) V Ab A [a^}^) 

A [«#]</’ 

h [a II /?]<(' 

h A [A\^) ([(a ® AiA ^ [a# [A\A 

h [(a + AiA [(a ® AiA 

Note, by the way, that regarding non-preferred behaviour we have that ^ 
[a + A't’ [a 0 /?](/) |a](() A [AA- Furthermore, as usual in dynamic logic we 

have that: A 4' ^\= AA- 

However, some notable non-validities are: 

A [{a II AiA 

A [(a ® AiA [(« + 

4 SKIP vs. WAIT: Concurrency 

Let us now briefly examine the difference between a wait action in the AI con- 
text and a skip action in imperative programming. A strong monotonic iner- 
tia assumption is implicitly built into the state transitions of imperative pro- 
gramming where the meaning of the skip action for example is just the identity 
function; [skip] = Xa.a. For the wait action, it also holds that [waitj] = Xa.a, 
but in this case, the inertia assumption is weaker in the sense that the ac- 
tion may itself show any behavior, due to additional effects in the environment. 
Our approach offers the possibility of specifying this weaker notion which will 
even work properly in the context of unspecified concurrent actions. For ex- 
ample, if wait = wait(set = frame = release = 0), load = load(set{0^}), and 
we consider the action wait || load, we obtain [wait || load](<j) = [wait(set = 
frame = release = 0) || load(set{0^})]((r) = [wait(frame{^}, release{l})]((7) n 
[load(set{0;})](a) D{a{T/l},a{F/l}}f^{a{T/l}} = {a{T/l}} = [loadj(a). 
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More interestingly, if we also consider the propositional fluent a, we see how 
the release and the law of inertia work together. Suppose wait = wait(frame{a, 1}), 
load = load(set{+^}). [wait || load](<T) = [wait(frame{a, Z}) || load(set{+^})]((r) = 
[wait(frame{a, ^}, release{^})]((7) n load(set{+^}frame{a})](CT). It follows that \= 
A a) ^ [wait II load]^, while \= {^l A a) — > [(wait || load)(j]^ A a, as would be 
expected. 

The upshot of all this is that although preferably the wait action has the 
same effect as the skip action, nevertheless due to the (non-specifled) concurrent 
actions that are done in parallel with the wait, and of which we do not have any 
control, additional effects might occur. 

5 Other Examples 

We will start with a number of standard examples and move towards larger and 
more complex examples which combine the frame and ramification problems 
with concurrent actions. 



Yale Shooting Scenario: Initially Fred is alive, then the gun is loaded, we 
wait for a moment and then shoot. Of course (under reasonable conditions), 
it is expected that Fred is dead after shooting. In our approach, this example 
is represented as follows: we have the features loaded (I), alive (a), and the 
actions load = load(set{+^}, frameja}), wait = wait(frame{a, I}), and shoot = 
if I then kill(set{— —a}) else wait(frame{a, 1}) fl. Now we have that {^l A a) ^ 
|load[j](^ A a); {I A a) — > [waitjj](^ A a); and Anally {I A a) — > [killjjj^a, and hence 
also {I A a) [shootjij^a, so that \= {^l A a) ^ [loadjj] [waitj] [shootjJ^a. 



Russian Turkey Shoot: The scenario is more or less as before, but now the 
wait action is replaced by a spin action: spin = spin(frame{a}), leaving the 
variable I out of the frame, which may then vary arbitrarily. Clearly, [A (^^ Aa) — > 
[loadj][spinjj][shootij]^a, since [A (; a a) — > [spinj]^, although it is the case that 
^ (^ A a) ^ [spinjjja. 



The Walking Turkey Shoot (Ramification): Similar to the Yale Shooting 
Scenario, but now we also consider the feature walking (w) and the constraint 
that walking implies alive: <P = {w — > a}. So now we consider the action 
shoot = if ^ then kill(set{— — a}, releasejw}) else wait(frame{a, Z}) ff, and ob- 
tain [= (; A a) — > [shooti(](^a A ~^w). In this case, inertia on w is not applied. 

We now proceed to some more complicated scenarios. 



Jumping into the Lake Example ([1], [5]): Consider the situation in which 
one jumps into a lake, wearing a hat. Being in the lake (1) implies being wet 
(w). So we have as a constraint <P = {I ^ w}. If one is initially not in the lake, 
not wet and wearing a hat, the preferred result using inertia would be that after 
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jumping into the lake, one is in the lake and wet, but no conclusions concerning 
wearing a hat after the jump can be derived. We do not want to apply inertia 
to the feature of wearing a hat , since it is conceivable that while jumping, one 
could lose one’s hat. So technically, this means that the feature variable hat-on 
(h) is left out of the frame. (Another way of representing this, which one might 
prefer and which will give the same result, is viewing the frame constant over 
the whole scenario, including h, and then releasing h in the present situation.) 

If one is in the lake and wet, we would expect that after getting out of the 
lake, one is not in the lake, but still wet in the resulting state. So, inertia would 
be applied to the feature wet. Furthermore, we may assume that getting out of 
the lake is much less violent than jumping into it, so that we may also put h in 
the frame. Finally, if one is out of the lake and wet, then putting on a hat would 
typically result in a state where one has a hat on, while remaining out of the 
lake and wet. 

Formally, we can treat this relatively complicated scenario by means of our 
semantics as follows. Consider the feature variables I (being in the lake), w (being 
wet), h (wearing a hat), and the constraint <!> = {I ^ w}. In addition, we would 
need three actions. 

— jump-into-lake = jil(set{-|-^}, frame{w}, releasejw}), where w must be re- 
leased in view of the constraint I ^ w. 

— get-outof-lake = gol(set{— ^}, framejw, /i}); although I is set, w is not re- 
leased, since I is set to false and this does not enforce anything in view of 
the constraint I ^ w. 

— put-on-hat = poh(set{-|-ft.}, frame{^, w}, ). 

Now, applying the logic gives the desired results: {^l A ~^w Ah) ^ [jilj] {I Aw), 
and {^l A A ft.) — > [jil](^ A w); {I A w) [goljj](^l A w), (even {I A w A h) — > 
[goljj](^^ Aw A h)), and {I A w) — > [gol]^^; {^l A w) ^ [pohjj](^^ A w A h), and 
l^l Aw)^ [pohj/i. 

What this example shows is that one still has to choose the signature of ac- 
tions: what is put in the frame and what is not. This is not done automatically 
by the framework. We claim this to be an advantage because it provides enor- 
mous flexibility in its use, while at the same time it calls for exactness, so that 
the specifying of agents forces one to specify per action how things should be 
handled. The law of inertia (applied on non-released frame variables) takes care 
of the rest, so to speak. 

It is important to emphasize that some of the newer approaches for dealing 
with directed ramification which introduce explicit causal axioms ([9], [16]) essen- 
tially encode the same types of behavior, but at the same time rule out similar 
flexibility in specification of actions. Thielscher [16] for example, claims that the 
frame/released approaches are limited and provides the extended circuit exam- 
ple as a counterexample. One should rather view frame/released approaches as 
the result of a compilation process which compiles causal dependencies of one 
form or another [6] . The distinction to keep in mind is whether one’s formalism 
is capable of specifying frame/ released constraints differently from state to state. 
This deserves further analysis in the context of this approach. 
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Lifting a Bucket of Water. One can also use preferential action semantics in 
cases where one has certain default behavior of actions on other grounds than 
the law of inertia. Consider the lifting of a bucket filled with water with a left 
and right handle by means of a robot with two arms. Let lift-left (II) be the 
action of the robot’s lifting the left handle of the bucket with its left arm and 
lift-right (Ir) be the analogous action of the robot’s right arm. Obviously, when 
only one of the two actions are performed separately, water will be spilled. On 
the other hand, when the two actions are done concurrently, things go alright 
and no water is spilled. We place a constraint on the scenario that r). 

Now, we can say that normally when lift-right is performed, water gets spilled. 
However, in the extraordinary case when lift-right is performed in a context 
where (coincidentally) lift-left is also performed, water is not spilled. This ex- 
ample can be represented clearly and succinctly with our semantics. We assume 
that initially, in state a, neither arm is lifted, and no water is spilled (yet), i.e. the 
variables I, r and s are all false. One can associate with lift-right the semantics: 

[lr(set{r}, frame{;})](a) = {{a{T/r}{T/s}, a{T/r}{F/s}}, {a{T/r}{T/s}}), 

expressing that performance of lift-right leads to a state where the right arm is 
raised (r) and either water gets spilled or not, but that the former is preferred 
(on other grounds than inertia: note that s is not framed). Analogously, we can 
define this for lift-left, where instead of the variable r, a variable I is set to 
indicate the left arm is raised. So, in our dynamic logic, the result is \= [lr]r 
and \= [11]^, but ^ [lr]s and ^ [ll]s. On the other hand, we do have \= [lrj]s and 
\= [lljijs. Furthermore, since [II || lr]((j) = 

[I I (set {-1-^ } , frame = release = {?"})] (ct) n [I r(set {-l-r } , frame = release = {^})] (o') = 

{<j{T/l}{T/r}{F/s}, <j{T/l}{F/r}{T/s}} n 
{a{T/r}{T/l}{F/s},a{T/r}{F/l}{T/s}} = {a{T/r}{T/l}{F/s}), 

we also obtain that ^ [II || lr](r A I A ^s), as desired. 

6 Directions for Future Work 

We would like to investigate the possibility of introducing sequences of actions 
by considering the class ActSeq given by /3 = a | /3i; /? 2 . This would allow one 
to write down the outcome of a scenario such as the Yale Shooting problem as: 
{A A a) ^ [loadj; waitj; shootjJ^a, instead of having to resort to the (equivalent) 
slightly roundabout representation {A A a) ^ [loadj] [waitj] [shootjjj^a, as we 
did earlier. Note that by this way of defining action sequences, we (purposely) 
prohibit considering preferred sequences. Thus, something like (/3i;/?2)ii would 
now be ill-formed in our syntax, while «ij; 02 # is allowed. It remains subject 
to further research whether something like (/3i;/?2)ti could be given a clear-cut 
semantics and whether it would be a useful construct to have. 

Surprises ([12], [13]) can also be expressed in preferential action semantics. 
A surprise is some outcome of an action which was not expected, so formally 




Preferential Action Semantics 



199 



we can express this as follows: (f> is a surprise with respect to action a (denoted 
surprise(a, (/))) iff it holds that [a^]~'(j) A {a)(j). This states that although it is 
expected that —>(j) will hold after performing a, (j) is nevertheless (an implausible 
but possible) outcome of a. For instance, in a state where Fred is alive (a), 
it would come as a surprise that after a wait action, he would be not alive: 
a ([wait(frame{a})jj]a A (wait(frame{a}))^a) is indeed true with respect to 
our semantics. 

An interesting question, raised by one of the anonymous referees, is whether 
for some applications it would be useful or even required to extend the ‘two-level’ 
semantics (viz. possible and expected behaviour) into a more fine-grained one 
with multiple levels. We do not see the need for this at the moment. It might 
be possible that our approach is already sufficiently fine-grained due to the fact 
that we consider these two levels for any action in the scenario, which in total 
yields an enormous flexibility. 

Other interesting issues to be studied are delayed effects of actions and pre- 
diction. It will be interesting to see whether modeling delay by using a wait action 
with a specific duration in parallel with other actions would give adequate re- 
sults, while prediction seems to be very much related to considering expected 
results of (longer) chains of actions as compared to chains of preferred actions 
(as briefiy indicated above). Perhaps a notion of graded typicality of behavior 
might be useful in this context. We surmise that by the very nature of the [a] 
modality (related to weakest preconditions) the framework so far seems to fit 
for prediction but is not very suitable for postdiction or explanation of scenarios 
([13]). Perhaps extending it with the notion of strongest postconditions ([2], [11], 
[10]) would be helpful here. 

Finally, although we made a plea for using preferential action semantics 
rather than preferential assertion semantics to describe action scenarios, it would, 
of course, be interesting to investigate the relation between the two, hopefully 
substantiating our claim that the former is more flexible or easier to use than the 
latter. We expect that systematic studies of relations between underlying (onto- 
logical and epistemological) assumptions of action/agent systems and (assertion) 
preferential models such as ([13]) will be useful guidelines in this investigation. 



7 Related Work 

We were much inspired by work by ([11], [10]). In this work the authors also 
attempted to employ proven verification and correctness methods and logics 
from imperative programming for reasoning about action and change in AI. In 
particular Dijkstra’s wp-formalism is used. This formalism is based on the notion 
of weakest preconditions (and strongest postconditions) of actions and is in fact 
very close to the dynamic logic framework: formulas of the form [a\(j) are actually 
the same as the wlp (weakest liberal precondition) of action a with respect to 
postcondition (p. In ([11], [10]) a central role is played by the following theorem 
from Dijkstra and Scholten ([2]) which says that a state a \= a A ~^wlp{S, ->P) iff 
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there is a computation c under control of S starting in a state satisfying a and 
terminating in a state satisfying j3 such that a is the initial state of c. 

What all this amounts to is that when in [11], weakest (liberal) preconditions 
and the above theorem are used, something is stated of the form that after 
execution of an action a (j) may possibly be true, which in dynamic logic is 
expressed as {a)(j){= ^[a]-<(j)). Typically, this leads to too weak statements: one 
does not want to say that there is some execution of a that leads to 4>, but that 
the set of all expected (but of course not all) output states satisfy some property. 
This is exactly what we intend to capture by means of our preferential action 
semantics. Another aspect that we disagree with, as the reader might suspect 
from the above, is that [11] uses the skip statement to express the wait action. 
In our view this is equating a priori the action of waiting with its preferred 
behavior (in view of the law of inertia) . 

Finally, we mention that the work reported in [4] is similar in spirit to ours. 
Here also, a distinction between typical (preferred) and possible behavior of 
actions is made within a dynamic logic setting. Our approach is more concrete 
in the sense that we directly incorporate aspects of inertia into the semantics, 
and, moreover, have an explicit preference operator (applied to actions) in the 
language. This implies that we can also speak about preferred versus possible 
behavior in the object language. On the other hand, we have not (yet) considered 
preferred paths of executions of actions as in [4] 
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Abstract. In this paper a dialectical proof theory is proposed for logi- 
cal systems for defeasible argumentation that ht a certain format. This 
format is the abstract theory developed by Dung, Kowalski and others. 
A main feature of the proof theory is that it also applies to systems in 
which reasoning about the standards for comparing arguments is pos- 
sible. The proof theory could serve as the ‘logical core’ of protocols for 
dispute in multi-agent decision making processes. 



1 Introduction 

Recent nonmonotonic logics often have the form of a system for defeasible ar- 
gumentation (e.g. [Pollock 87, Simari & Loui 92, Vreeswijk 93a, Dung 95] and 
[Prakken & Sartor 96a]). In such systems nonmonotonic reasoning is analyzed 
in terms of the interactions between arguments for alternative conclusions. Non- 
monotonicity arises since arguments can be defeated by stronger counterar- 
guments. In this paper a dialectical proof theory is proposed for systems of 
this kind that Rt a certain abstract format, viz. the one defined by [Dung 95]. 
The use of dialectical proof theories for defeasible reasoning was earlier stud- 
ied by [Dung94] and, inspired by [Rescher 1977], by [Loui 93, Vreeswijk 93b, 
Brewka 94b], while also [Royakkers & Dignum 1996] contains ideas that can 
be regarded as a dialectical proof theory. The general idea is based on game- 
theoretic notions of logical consequence developed in dialogue logic (for an 
overview see [Barth & Krabbe 82]). Here a proof of a formula takes the form 
of a dialogue game between a proponent and an opponent of the formula. Both 
players have certain ways available of attacking and defending a statement. A 
formula is provable iff it can be successfully defended against every possible 
attack. 

In this paper first the general framework of [Dung 95] will be described (Sec- 
tion 2), after which in section 3 the dialectical proof theory is presented. Then 
in Section 4 Dung’s framework and the proof theory will be adapted in such a 
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way that the standards used for comparing conflicting arguments are themselves 
(defeasible) consequences of the premises. 

The ideas of this paper were originally developed in [Prakken & Sartor 96b], 
for a logic-programming system presented in [Prakken & Sartor 96a], which in 
turn extended and revised [Dung 93b] ’s application of his semantics to extended 
logic programming. In [Prakken & Sartor 96b] the system is applied to legal 
reasoning. The main purpose of the present paper is to show that the proof- 
theoretical ideas apply to any system of the format defined by [Dung 95]. For 
this reason the present paper does not express arguments in a formal language; 
it just assumes that this can be done. 

2 An abstract framework for defeasible argumentation 

Inspired by earlier work of Bondarenko, Kakas, Kowalski and Toni, [Dung 95] has 
proposed a very abstract and general argument-based framework. An up-to-date 
technical survey of this approach is [Bondarenko et al. 95]. The two basic notions 
of the framework are a set of arguments, and a binary relation of defeat among 
arguments. In terms of these notions, various notions of argument extensions are 
defined, which aim to capture various types of defeasible consequence. Then it is 
shown that many existing nonmonotonic logics can be reformulated as instances 
of the abstract framework. 

The following version of this framework is kept in the abstract style of 
[Dung 95], with some adjustments proposed in [Prakken & Sartor 96a]. Impor- 
tant differences will be indicated when relevant. 

Definition!. An argument-based theory (AT) is a pair (ArgsAT , defeat at), ^ 
where ArgsAT is a set of arguments, and defeat at a binary relation on ArgsAT ■ 

— An AT is fimtary iff each argument in ArgsAT is defeated by at most a finite 
number of arguments in ArgsAT • 

— An argument A strictly defeats an argument B iff A defeats B and B does 
not defeat A. 

— A set of arguments is conflict-free iff no argument in the set is defeated by 
another argument in the set. 

This definition abstracts from both the internal structure of an argument and 
the origin of the set of arguments. The idea is that an AT is defined by some 
nonmonotonic logic or system for defeasible argumentation. Usually the set Args 
will be all arguments that can be constructed in these logics from a given set 
of premises, but this set might also just contain all arguments that a reasoner 
has actually constructed. In this paper I will (almost) completely abstract from 
the source of an AT. Moreover, unless stated otherwise, I will below implicitly 
assume an arbitrary but fixed AT. 

The relation of defeat is intended to be a weak notion: intuitively ‘A defeats 
5’ means that A and B are in conflict and that A is not worse than B. This 

Below the subscripts will usually be left implicit. 
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means that two arguments can defeat each other. A typical example is the Nixon 
Diamond, with two arguments ‘Nixon is a pacihst because he is a Quaker’ and 
‘Nixon is not a pacihst because he is a Republican’. If there are no grounds for 
preferring one argument over the other, they defeat each other. 

A stronger notion is captured by strict defeat (not used in Dung’s work), 
which by dehnition is asymmetric. A standard example is the Tweety Triangle, 
where (if arguments are compared with specihcity) the argument that Tweety 
hies because it is a bird is strictly defeated by the argument that Tweety doesn’t 
hy since it is a penguin. 

A central notion of Dung’s framework is acceptability. Intuitively, it dehnes 
how an argument that cannot defend itself, can be protected from attacks by a 
set of arguments. Since [Prakken & Sartor 96a, Prakken & Sartor 97], on which 
this paper’s proof theory is based, use a slightly different notion of acceptability, 
I will tag Dung’s version with a d. 

Definition 2 . An argument A is d-acceptable with respect to a set S of argu- 
ments iff each argument defeating A is defeated by some argument in S. 

The variant of Prakken & Sartor will just be called ‘acceptability’. 

Definitions. An argument A is acceptable with respect to a set S of arguments 
iff each argument defeating A is strictly defeated by some argument in S. 

So the only difference is that Dung uses ‘defeat’ where Prakken & Sartor use 
‘strict defeat’. In Section 4.11 will comment on the significance of this difference. 

To illustrate acceptability, consider the Tweety Triangle with A = ‘Tweety 
is a bird, so Tweety hies’, B = ‘Tweety is a penguin, so Tweety does not hy’ 
and C = ‘Tweety is not a penguin’, and assume that B strictly defeats A and 
C strictly defeats B. Then A is acceptable with respect to {C}, {A, C}, {B, C} 
and {A, B, C}, but not with respect to 0 and {B}. 

Another central notion of Dung’s framework is that of an admissible set. 

Definition 4. A confiict-free set of arguments S is admissible iff each argument 
in S is d-acceptable with respect to S. 

In the Tweety Triangle the sets 0, {C} and {A, C} are admissible but all other 
subsets of {A, B, C} are not admissible. 

On the basis of these definitions several notions of ‘argument extensions’ can 
be defined. These notions are purely declarative, in that they just declare a set 
of arguments to be ‘OK’, without defining how such a set can be constructed. 
For instance. Dung defines the following credulous notions. 

Definitions. A confiict-free set S' is a stable extension iff every argument that 
is not in S, is defeated by some argument in S. 

Consider an AT called TT (the Tweety Triangle) where Args^r = {A, B, C} and 
defeatsTT = {(B, A), (C, B)}. TT has only one stable extension, viz. {A,C}. 
Consider next an AT called N D (the Nixon Diamond), with Args^^o = {A, B}, 
where A = ‘Nixon is a quaker, so he is a pacifist’, B = ‘Nixon is a republican. 
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so he is not a pacifist’, and defeatsND = {(A, B), (B , A)}. ND has two stable 
extensions, {A} and {B}. 

Since a stable extension is conflict-free, it reflects in some sense a coherent 
point of view. Moreover, it is a maximal point of view, in the sense that every 
possible argument is either accepted or rejected. The maximality requirement 
makes that not all AT’s have stable extensions. Consider, for example, an AT 
with three arguments A, B and C, and such that A defeats B, B defeats C 
and C defeats A (such circular defeat relations can occur, for instance, in logic 
programming because of negation as failure, and in default logic because of the 
justification part of defaults.) To give also such AT’s a credulous semantics. 
Dung defines the notion of a preferred extension. 

Definition 6. A conflict-free set is a preferred extension iff it is a maximal (with 
respect to set inclusion) admissible set. 

Clearly all stable extensions are preferred extensions, so in the Nixon Diamond 
and the Tweety Triangle the two semantics coincide. However, not all preferred 
extensions are stable: in the above example with circular defeat relations the 
empty set is a (unique) preferred extension, which is not stable. 

Preferred and stable semantics clearly capture a credulous notion of defea- 
sible consequence: in cases of an irresolvable conflict as in the Nixon diamond, 
two, mutually conflicting extensions are obtained. Dung also defines a notion 
of sceptical consequence, and this is for which I will define the dialectical proof 
theory. Application of the proof theory to the credulous semantics will be briefly 
discussed in Section 5. Dung defines the sceptical semantics with a monotonic 
operator, which for each set S of arguments returns the set of all arguments d- 
acceptable to S. Its least fixpoint captures the smallest set which contains every 
argument that is acceptable to it. I will use the variant with plain acceptability. 

Definition 7. Let AT = {Args, defeat) be an argument-based theory and S 
any subset of Args. The eharaeteristie funetion of AT is: 

— Fat '■ Pow{Args) — ^ Pow{Args) 

— Fat(S) = {A G Args\A is acceptable with respect to S} 

I now give the, perhaps more intuitive, definition of [Prakken & Sartor 96a], 
which by a result of [Dung 95] for finitary AT’s is equivalent to the fixpoint 
version (which is also used in [Prakken & Sartor 97]). The formal results on the 
proof theory hold for both formulations, although for the fixpoint formulation 
completeness holds under the condition that the AT is finitary; cf. [Dung 95, 
Prakken & Sartor 97]. 

Definitions. For any AT = (Args, defeat) we define the following sequence of 
subsets of Args. 

— Kt = ^ 

— F)(fp^ = {A G Args \ A is acceptable with respect to F\j,). 
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Then the set JustArgsAT of arguments that are justihed on the basis of AT is 

U“o(nT)- 

In this dehnition the notion of acceptability captures reinstatement of arguments: 
if all arguments that defeat A are themselves defeated by an argument in F\ 
then A is in To illustrate this with the Tweety Triangle: F^j, = {C}, 

F^j, = {A, C}, F^j, = F^j,, so A is reinstated at by C . 

That this semantics is sceptical is illustrated by the Nixon Diamond: Fj^j^ = 

F%d = 0 - 

3 A dialectical proof theory 

3.1 General idea and illnstrations 

In this section a dialectical proof theory will be dehned for the just-presented 
sceptical semantics. Essentially it is a notational variant of [Dung94]’s dialogue 
game version of his sceptical semantics of extended logic programs. A proof of 
a formula takes the form of a dialogue tree, where each branch is a dialogue, 
and the root of the tree is an argument for the formula. The idea is that ev- 
ery move in a dialogue consists of an argument based on an implicitly assumed 
AT, and that each move attacks the last move of the opponent in a way that 
meets the player’s burden of proof. That a move consists of a complete argument 
means that the search for an individual argument is conducted in a ‘monologicah 
fashion, determined by the nature of the underlying logic; only the process of 
considering counterarguments is modelled dialectically. The required force of a 
move depends on who states it, and is motivated by the dehnition of acceptabil- 
ity. Since the proponent wants a conclusion to be justihed, a proponent’s move 
has to be strictly defeating, while since the opponent only wants to prevent the 
conclusion from being justihed, an opponent’s move may be just defeating. 

Let us illustrate this with an informal example of a dialogue (recall that 
it implicitly assumes a given AT). Let us denote the arguments stated by the 
proponent by Pi and those of the opponent by Oi. The proponent starts the 
dispute by asserting that Pi is a justihed argument. 

Pi: Assuming the evidence concerning the glove was not forged, 
it proves guilt of OJ. 

(Many nonmonotonic logics allow the formalization of assumptions, e.g. logic 
programming with negation as failure and default logic with the justihcation 
part of a default.) 

The opponent must defeat this argument. Suppose O can do so in only one 
way. 

Oi: I know that the evidence concerning the glove was forged, 
so your assumption is not warranted. 
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The proponent now has to counterattack with an argument that strictly defeats 
Oi . Consider the following argument 

P 2 : The evidence concerning the glove was not forged, since it was found 
by a police officer, and police officers don’t forge evidence. 

and suppose (for the sake of illustration) that defeat is determined by specificity 
considerations. Then P 2 strictly defeats Oi, so P 2 is a possible move. If the op- 
ponent has no new moves available from ArgsAT , s/he loses, and the conclusion 
that OJ is guilty has been proved. 

In dialectical proof systems a ‘loop checker’ can be implemented in a very 
natural way: no two moves of the proponent in the same branch of the dialogue 
may have the same content. It is easy to see that this rule will not harm P] if 
O had a move the first time P stated the argument, it will also have a move the 
second time, so no repetition by P can make P win a dialogue. 

Assume for illustration that the arguments in Args are those that can be 
made by chaining one or more of the following premises: 

(1) Mr. F forged the glove-evidence 

(2) Someone who forges evidence is not honest 

(3) Mr. F is a police officer 

(4) Police officers are honest 

(5) Someone who is honest, does not forge evidence. 

Assume again that defeat is determined by specificity, in the obvious way. Now 
the proponent argues that Mr. F did not forge the glove-evidence. 

Pi: Mr. F is a police officer, so he is honest and 
therefore does not forge evidence. 

O attacks this argument on its ‘subconclusion’ that Mr. F is honest; and since 
the counterargument is more specific, this is a defeating argument. 

Pi: I know that F forged evidence, and this shows that he is not honest. 

P now wants to attack O’s argument in the same way as O attacked P’s argu- 
ment: by launching a more specific attack on O’s ‘subconclusion’ that F forged 
the glove-evidence. However, P has already stated that argument at the begin- 
ning of the dispute, so the move is not allowed. And no other strictly defeating 
argument is available, so it is not provable that Mr. F did not forge the glove- 
evidence, not even that he is honest. However, by a completely symmetric line 
of reasoning we obtain that also the contrary conclusions are not provable. So 
no conclusion about whether Mr. F is honest or not, and forged evidence or not, 
is provably justified. 
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3.2 The proof theory 

Now the dialectical proof theory will be formally dehned. Again the dehnitions 
assume an arbitrary but Rxed AT. 

Definition 9. A dialogue is a finite nonempty sequence of moves movci = 
{Playeri, Argi) {i > 0), such that 

1. Playeri = P iS i is odd; and Playeri = O iff i is even; 

2. If Playeri = Player j = P and i j, then Argi 7^ Argj] 

3. If Playeri = P, then Argi strictly defeats Argi-i] 

4. If Playeri = O, then Argi defeats Argi-i. 

The first condition says that the proponent begins and then the players take 
turns, while the second condition prevents the proponent from repeating its 
attacks. The last two conditions form the heart of the definition: they state the 
burdens of proof for P and O. 

Definition 10. A dialogue tree is a tree of dialogues such that if Playeri = P 
then movei’s children of are all defeaters of Argi. 

It is this definition that makes dialogue trees candidates for being proofs: it 
says that the tree should consider all possible ways in which O can attack an 
argument of P. 

Definition 11. A player wins a dialogue iff the other player cannot move. And 
a player wins a dialogue tree iff it wins all branches of the tree. 

The idea of this definition is that if P’s last argument is undefeated, it reinstates 
all previous arguments of P that occur in the same branch of a tree, in particular 
the root of the tree. 

Definition 12. An argument A is provably justified iff there is a dialogue tree 
with A as its root, and won by the proponent. 

In [Prakken & Sartor 97] it is shown that this proof theory is sound and for 
Rnitary AT’s also complete with respect to the sceptical Rxpoint semantics. This 
is not surprising, since what the proof theory does is, basically, traversing the 
sequence defined by Definition 8 in the reverse direction. Note that it implies 
that an argument A is justified iff there is a sequence F^, . . . , A" such that A 
occurs for the first time in F" (in the explicit Rxpoint deRnition of [Dung 95, 
Prakken & Sartor 97] this only holds for Rnitary AT’s; in the general case only 
the ‘if’ part holds). We start with A, and then for any argument B defeating 
A we Rnd an argument C in that strictly defeats B and so indirectly 

supports A. Then any argument defeating C is met with a strict defeater from 
and so on. Since the sequence is Rnite, we end with an argument indirectly 
supporting A that cannot be defeated. 

It should be noted that completeness here does not imply semi- decidability: 
if the logic for constructing individual arguments is not decidable, then the search 
for counterarguments is, as is well-known, not even semi-decidable. 
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4 Defeasible priorities 

In several argumentation frameworks, as in many other nonmonotonic logics, 
the defeat relation is partly defined with the help of priority relations, usually 
defined on the premises, but sometimes directly on arguments. In most systems 
these priorities are undisputable and assumed consistent. However, as discussed 
in e.g. [Gordon 95, Prakken & Sartor 96b, Hage 97], these features are often un- 
realistic. In several domains of practical reasoning, such as legal reasoning, the 
priorities are themselves subject to debate, and therefore a full theory of defea- 
sible argumentation should also be able to formalise arguments about priorities, 
and to adjudicate between such arguments. 

This section presents a formalisation of this feature, which forms the main 
technical addition to [Dung 93b, Dung94]. As the previous section, also this 
section is based on [Prakken & Sartor 96a], in which the semantics of [Dung 93b] 
is revised, and on [Prakken & Sartor 97], in which the same is done with the 
proof theory of [Dung94]. The present section generalises these revisions to any 
system fitting the format of [Dung 95]. 

However the generalisation is only well-defined if the logic generating an AT 
satisfies some additional assumptions. Firstly, I assume that for each AT a set 
O is defined of objects to be ordered. For most AT’s the set O will contain the 
premises from which the arguments of the AT can be constructed; however, since 
some AT’s instead define the priorities between sets of premises or even directly 
between arguments (as [Vreeswijk 93a]), I will leave the content of O undefined. 

Next I assume that the defeat relation of an AT is determined by a strict 
partial ordering of O. In fact, this assumption transforms the defeat relation 
of an AT into a set of defeat relations <-defeat, where < is any strict partial 
ordering of O. 

On the basis of these assumptions I now define the notion of a prioritised 
argument-based theory. 

Definition 13. A prioritised argument-based theory (PAT for short) is a triple 
(ArgspAT , OpAT , defeatpAr),^ where ArgspAT is a set of arguments, and where 
defeat pat is a set of binary relations <-defeat on ArgspAT, < being any strict 
partial order on Opat- 

— A PAT is fimtary iff for all < each argument in ArgspAT is <-defeated by 
at most a finite number of arguments in ArgspAT- 

— An argument A strictly <-defeats an argument B iff A <-defeats B and B 
does not <-defeat A. 

— A set of arguments is <- conflict-free iff no argument in the set is <-defeated 
by another argument in the set. 

Finally, I assume that the argument language of a PAT is sufficiently expressive 
to express partial orderings on O; i.e. I assume that this language contains a 
distinguished twoplace predicate symbol intended to denote the relation <, 

Below the subscripts will usually be left implicit. 
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and that there is a naming function N : O ^ Names, where Names is a set of 

terms. N is not assumed to be a bijection, since it might be handy to assign the 
same name to more than one object. 

4.1 Changing the semantics 

Now how can we make the priorities that are needed to determine defeat, de- 
feasible consequences of the AT, according to Dehnition 8 ? The idea is that in 
determining whether an argument is acceptable with respect to we look 

at those priority statements that are conclusions of arguments in Fp^j, . To this 
end I Rrst define the notion of an ordering expressed by a set of arguments. 

Definition 14. For any set S of arguments 

<5 = {o < o' I N (o) -< N(o') is a conclusion of some A G S'} 

Below I will abbreviate ‘< 5 -defeat’ as ‘S-defeat’; and for singleton sets {Cj I 
will write ‘{Cj-defeaf as ‘C-defeat’. 

For arbitrary sets S it is not guaranteed that <5 is a strict partial order. However, 
it is sufhcient that the properties hold for each <p, . In virtually any nonmono- 
tonic logic this can be assured by including the axioms of a strict partial order 
for ^ in the undebatable part of the premises (see [Prakken & Sartor 97] for an 
illustration in argument-based extended logic programming). 

I now redefine the notion of acceptability as follows (d-acceptability can be 
changed in the same way). 

Definition 15. An argument A is acceptable with respect to a set S of arguments 
iff all arguments S'-defeating A are strictly A-defeated by some argument in S. 

Note that with this definition Dung’s original definition is not only changed (by 
using strict defeat), but also refined: this is since Dung does not consider defea- 
sible priorities and therefore does not make defeat relative to sets of arguments. 

Definition 8 can now be applied with Definition 15. However, to make this 
application well-behaved, the notion of A-defeat should have the following two 
properties, which are crucial in proving that each T* is contained in 
this in turn guarantees that each set of justified arguments is conflict-free. 
The properties are also crucial in proving that the explicit-Rxpoint definition 
of [Prakken & Sartor 97] is monotonic. Note that they does not follow from the 
above definitions but must instead be enforced by a proper definition of the 
notion of defeat. 

Property 4.1 For any two conflict-free sets of arguments S and S' such that 
S C S' , and any two arguments A and B we have that 

1. If A S' -defeats B, then A S-defeats B. 

2. If A strictly S-defeats B, then A strictly S' -defeats B. 
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Given our weak interpretation of the defeat notion, this property can easily 
be enforced: the idea is to define ‘A S'-defeats B’ in terms of the absence of 
priorities in <5 that would make A worse than 5; then adding more priorities 
cannot create new defeat relations, while the only defeat relations that go away 
are one side of a mutual defeat relation. 

Property 4.2 For any conflict-free set of arguments S and arguments A ^ S 
and B: if A strictly S-defeats B, then some C ^ S strictly C-defeats B. 

Also this property seems very natural. The intuition behind it is that C is the 
combination of A with the priority arguments in S that make A strictly S'-defeat 
5; and C can then be used in a dialectical proof as a reply to B. 

I can now comment on the use of strict defeat in Definitions 3 and 15: Prop- 
erty 4.1(2) will usually not hold for defeat, while yet it is essential to make 
Definition 8 well-behaved when combined with Definition 15. 



4.2 Changing the proof theory 

I now discuss how the proof theory must be changed. The main problem here is 
on the basis of which priorities the defeating force of the moves should be deter- 
mined. What is to be avoided is that we have to generate all priority arguments 
before we can determine the defeating force of a move. The pleasant surprise is 
that, to achieve this, a few very simple conditions suffice. For O it is sufficient 
that its move 0-defeats P’s previous move. This is so since Property 4.1 implies 
that if A is for some S an S'-defeater of P’s previous move, it is also an 0-defeater 
of that move. So O does not have to take priorities into account. Let us illustrate 
this by modifying our informal glove dialogue as follows (we again leave it to 
the readers to formalise the arguments in their favourite formalism). Again the 
proponent starts with 

Pi: Assuming the evidence concerning the glove was not forged, 
it proves guilt of OJ. 

Suppose the opponent now replies with 

Oi : I know that the evidence concerning the glove was forged, 
since I was told so, so your assumption is not warranted. 

In agreement with most nonmonotonic logics, I assume that an attack on an 
assumption succeeds if no priority relations hold: i.e. Oi 0 -defeats Pi. 

P, on the other hand, should take some priorities into account, since strict 
defeat usually requires ‘better than’ relations between rules. However, it suffices 
to apply only those priorities that are stated by P’s move; more priorities are 
not needed, since Property 4.1 also implies that if P’s argument Argi strictly 
Ar^Sj-defeats O’s previous move, it will also do so whatever more priorities will 
be derived. So P can reply to Oi with 
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P 2 : The evidence concerning the glove was not forged, since it was found 
by a police ofhcer, and as a general rule police ofhcers 
don’t forge evidence. This rule is more reliable than your 
rule that what you are told is true. 

Because of the priority statement at the end, P 2 strictly T' 2 -defeats Oi. 

However, this is not the only type of move that the proponent should be 
allowed to make. To see this, note that O can respond with repeating 0\ as 
O 2 , at least assuming that 0 \ 0-defeats P 2 , which in many systems it will do 
(e.g. in [Prakken & Sartor 96a]). And because of the nonrepetition rule P cannot 
respond to O 2 with P^ = P 2 . Therefore P must be allowed to state a priority 
argument that neutralises the defeating force of O 2 , i.e. to state an argument Ps 
such that O 2 does not Ts-defeat Pi. If T" is allowed to make such a move, it can 
in our example repeat the priority part of P 2 : 

P 3 . The rule that police ofhcers don’t forge evidence is more reliable 
than your rule that what you are told is true. 

Of course, O might challenge T”s priority argument, for instance, by saying that 
instead the ‘what I am told is true’ rule is more reliable since O only listens 
to very reliable people. However, I will end the discussion of our example and 
describe the changes of the proof theory. All we have to change is the burdens 
of proof in Dehnition 9: 

(3) If Playeri = P then 

— Argi strictly Argi-defeats Argi-i; or 

— Argi-i does not Argi-defeat Ai- 2 - 

(4) If Playeri = O then Argi ^-defeats Argi-\. 

The other dehnitions stay the same. 

In [Prakken & Sartor 97] it is shown that the proof theory is, with respect 
to the hxpoint semantics, sound in the general case and complete for Rnitary 
AT’s. The corresponding results for the system with fixed priorities are proven 
as a special case. Although these results are proven for a particular system, the 
proofs are based on only the definitions and properties presented in this paper. 

4.3 A clash of intuitions 

In some cases the semantics of this section gives results that seem debatable. 
Consider an AT with ArgsAT = {A, B, C, 77} where A = ‘John is an adult, so 
John is employed’, B = ‘John is a student, so John is unemployed’, C = ‘John is 
imprisoned, so John is unemployed’ and U is a priority argument with conclusion 
A B V A C . Assume that this induces an ordering <justArgsAT— that 
none of the arguments is justified. Assume now that if this ordering were instead 
{A < B} or {A < C}, then B and C would be justified and A overruled. It 
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might be argued that then this should also be the outcome in the original case. 
However, intuitions seem to differ here: from a constructive point of view the 
outcome of the present definitions seems acceptable. 

Yet it is worthwhile investigating how the alternative, non-constructive intu- 
ition can be formalized. Probably techniques from [Brewka 94a] and [Prakken 95] 
can be used, which formalize the non-constructive intuition for extension-based 
systems, but this has to be left for future research, as well as the corresponding 
proof theory. Alternatively, syntactic restrictions will do; practically this seems 
a feasible option, since in practical applications disjunctive priority information 
seems very rare. 

5 Proof theory for credulous semantics 

In this section I sketch how a dialectical proof theory can be developed for the 
credulous semantics discussed in Section 2. 1 will first focus on the case with fixed 
priorities. Defining a proof theory for stable semantics will not be easy, since we 
always have to prove that a stable extension exists. Therefore I concentrate on 
preferred semantics. This is also relevant for stable semantics, since [Dung 95] 
identifies conditions under which preferred and stable semantics coincide. 

Note first that the existence of a proof means that the argument is in some 
preferred extension. Now the idea is to reverse the burden of proof of P and O. 
P now only has to defeat O’s arguments, while O now must strictly defeat T”s 
moves. Moreover, the non-repetition rule now holds for O instead of for P, while 
the children of T”s moves are now all its strict defeaters. Finally, since preferred 
extensions are conflict-free, we must require that in each dialogue the set of all 
moves of the proponent is conflict-free. 

With respect to soundness and completeness, it is relevant that by definition 
every admissible set is contained in some preferred extension. Then soundness 
follows since it is easy to see that the union of all T”s arguments in a dialogue tree 
is an admissible set. Completeness can be proven for the finite case, by showing 
that each finite admissible set corresponds to a proof for each of its members. For 
the infinite case there are obvious counterexamples. Consider e.g. an infinite set 
of arguments {Ai, . . . , A„, . . .}, where each Ai(i > 1) strictly defeats Ai-i: both 
the set of all ‘odd’, and that of all ‘even’ arguments are preferred extensions, but 
any ‘proof’ has to be infinite. 

Extending these ideas to the case with defeasible priorities is still to be in- 
vestigated. 

6 Formal models of agents and protocols for dispute 

With respect to formal models of agents this paper is relevant as follows. As 
noted earlier by [Vreeswijk 96], the dialectical proof theory can serve as the 
‘logical core’ of protocols for disputes in multi-agent decision and negotiation 
processes (where the agents can be humans, computers or a combination of 
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both). Such protocols dehne possible, allowed or obligatory dialogue moves of 
the agents involved in the dispute, and they dehne criteria for termination and 
evaluation of a dispute. Such protocols can be studied as to their degree of 
rationality (cf. e.g. [Loui 93, Gordon 95, Vreeswijk 96]). The leading idea here is 
that rationality has a procedural side: an argument is acceptable if it has been 
successfully defended in a properly conducted dispute. The main aim of this line 
of research is to hnd out what makes a dispute proper, i.e. what makes it fair 
and effective. 

A key feature of realistic disputes is that the body of information from which 
arguments can be constructed is not given in advance, but is constructed dy- 
namically in the course of a debate. Although our dialectical proof theory is 
relative to a given set of arguments, it can still be embedded in such protocols 
for dispute (cf. also [Loui & Norman 95, Vreeswijk 96]). The set ArgsAT is then 
dehned as the arguments that are constructible on the basis of the premises that 
are introduced and not withdrawn at a give stage. Thus our dehnitions also ap- 
ply to disputes where the set of premises is dynamically constructed. Moreover, 
the soundness and completeness results are thus part of the criteria for fair and 
effective disputation. This is at least how [Vreeswijk 96] dehnes fairness and ef- 
fectiveness: a protocol is fair if every argument that can be successfully defended 
against every attack is justihed, and it is effective if every justihed argument can 
be successfully defended against every attack. 

7 Concluding remarks 

In this paper I have discussed three contributions to the formalisation of defeasi- 
ble argumentation. Firstly, I have, by generalising work of [Prakken & Sartor 96a], 
discussed how the abstract framework of [Dung 95, Bondarenko et al. 95] can 
be extended with defeasible priorities. Secondly, I have, by generalising work 
of [Dung94] and [Prakken & Sartor 97], discussed how dialectical proof theories 
can be dehned for this framework and its extension. Finally, I have given an 
impression of the research questions that arise in the dialectical approach to the 
proof theory of defeasible argumentation, and I have indicated how this approach 
is relevant to formal protocols for disputation in multi-agent environments. 

As for future research, hrst of all the preliminary contributions of this paper 
should, of course, be further developed. Moreover, it would be interesting to 
investigate in more detail the relation between dialectical proof theories and 
dialectical protocols for disputation. 
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Abstract. A theory of diagnosis and qualitative decision theory are able to for- 
malize reasoning with norms. They are thus different from deontic logic, that for- 
malizes reasoning about norms. In this paper, we compare two theories of diag- 
nosis for normative systems: Ramos and Fiadeiro’s theory of diagnosis developed 
for organizational process design and Tan and Van der Torre’s theory of diagnosis 
extended with notions of qualitative decision theory. We observe several similar- 
ities. 



1 Introduction 

In this paper we argue that normative reasoning is more than deontic logic. Deontic logic 
tells you which obligations can be derived from a set of other obligations. In particular, 
it characterizes the logical relations between obligations. For example, in most deontic 
logics the conjunction p A g is obliged, if both p and q are obliged. However, it does 
not explain how norms effect the behavior of rational agents. From Op you cannot infer 
whether somebody will actually performp. This is no critique on deontic logic, it is just 
an observation. Deontic logic was never intended to explain this effect of norms on be- 
havior. However, If we want to explain all the different aspects of normative reasoning, 
then we need more formalisms than just deontic logic. In this paper we discuss two for- 
malisms that can be used to analyze two different types of aspects of how norms effect 
behavior, namely the theory of diagnosis and qualitative decision theory. 

Two theories that are able to formalize reasoning with norms are represented in Fig- 
ure 1. A theory of diagnosis reasons about violations. In particular, it reasons about the 
past with incomplete knowledge (if everything is known than a diagnosis is completely 
known). Diagnostic theories have a modest purpose, because they do not support the 
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decision-making process of the user. They do not derive decisions, they only check sys- 
tems against given principles. A more expressive framework is qualitative decision the- 
ory. Qualitative decision theory describes how norms influence behavior. It is based on 
the concept of agent rationality. For example, in a normative system usually sanctions 
and rewards correspond with norms, and a rational agent tries to evade penalties and 
achieve rewards. In contrast to diagnostic theories, a (qualitative) decision theory rea- 
sons about the future. The main characteristic of qualitative decision theory is that it is 
goal oriented reasoning, usually for planning problems. Moreover, it combines reason- 
ing about goals with uncertainty. This reasoning is based on the application of strategies, 
which can be considered as qualitative versions of the ‘maximum utility’ criterion. 



(qualitative) 

decision theory theory of diagnosis 





/\ 



judge 



time 

Fig. 1. Reasoning with norms 



Logical relations between obligations are an essential component of any formalism 
that explains the effect of norms on behavior. Hence, in this paper we also argue that de- 
ontic logic can be used as a component in the theory of diagnosis as well as qualitative 
decision theory. Actually, we even argue for the stronger claim that the theory of diagno- 
sis as well as qualitative decision theory can be viewed as extensions of deontic logic. 
In both cases the formalism contains extra principles that are added to a deontic logic 
basis. For example, in the case of the theory of diagnosis one of the principles that can 
be added to deontic logic is the parsimony principle, i.e. the assumption that as few as 
possible obligations are violated. There is nothing contradictory in the claim that on the 
one hand these formalisms explain aspects of normative behavior that deontic logic does 
not, whereas deontic logic is still an essential component of these theories. In the same 
sense physics can explain phenomena that mathematics cannot, whereas mathematics is 
still an essential component of physics. There are several structural similarities between 
preference-based deontic logic and the logics developed for diagnosis and qualitative 
decision theory, see e.g. [Bou94,Lan96]. The distinction between the different perspec- 
tives and deontic logic raises several important questions. 

Norms and dedicated theories. The diagnosis of a normative system can use a formal- 
ism to represent norms and additional assumptions or principles to do the diagno- 
sis. For example, Reiter’s diagnosis is basically a minimization principle (called the 
principle of parsimony). Similarly, qualitative decision theory has a formalism for 
representing norms (or goals) and additional assumptions or principles to reason 
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with them. Is such a special purpose formalism a deontic logic? How do they stand 
the test against the Chisholm paradox, the paradox of the gentle murderer, the prob- 
lem of how to represent permissions, the problem of conflicting obligations? What 
are the structural similarities and distinctions between the different formalisms? 
Norms and preferences [Lan96]. Qualitative decision theory is based upon the con- 
cept of preference. This preference is a kind of desire, i.e. it is an endogenously 
motivating mechanism (coming from the agent itself). Therefore, it is not a natural 
candidate for dealing with normative decision-making, since a norm is by defini- 
tion exogenous, in the sense that it is something the agent would not spontaneously 
want. How do agents work out norms in terms of gains and losses? What are the 
gains of observing norms? How do they learn the effects of norms and how do they 
reason about these effects? Which rules are implied, which ingredients enable agents 
to make normative decisions? In which way does a normative decider differ from 
an ordinary decider, if any? 

Norms and obligations. A deontic logic does not derive actual but ideal behaviors. Do 
we have to distinguish the obligations derivable from a set of norms and a set of 
facts, from the norms itself? What is the role of so-called factual detachment in de- 
ontic logic? 

In this paper we analyze structural properties of formalisms used in two dedicated 
theories of diagnosis, and we relate the formalisms to deontic logic. Reiter formalized 
in [Rei87] the model-based reasoning approach to diagnosis, and that theory is adapted 
to deontic systems in [TvdT94a,TvdT94b,RF96b,RF96a] by using obligations to repre- 
sent the ideal behavior of a system. In Reiter’s theory of diagnosis, a violation is rep- 
resented by a predicate expression Ah{c), where c is a component of a system to be di- 
agnosed and Ah an abnormality predicate. For example, this violation can be derived 
from the system description that p is the correct behavior of a component -^Ab{c) p 
and the observation -ip. In a modal deontic logic, a violation can be represented by the 
sentence -ip A Op, where the modal sentence Op is read as ‘it is obligatory that p.’ The 
typical diagnostic reasoning with normative systems is performed by a judge, who has 
to determine whether a suspect is guilty or not. Diagnostic reasoning has to deal with 
incomplete knowledge, not formalized in a deontic logic. For example, a popular addi- 
tional assumption of theories of diagnosis is the so-called principle of parsimony: ‘you 
are innocent until proven guilty.’ Such a principle about incomplete knowledge is not 
made in deontic logic; it is an extra-logical assumption about the legal domain. 

The Diagnostic framework for DEontic reasoning diOde [TvdT94b,TvdT94a] is Re- 
iter’s theory of diagnosis [Rei87] applied to normative systems. In this paper we com- 
pare two extensions of diOde. The first extension is ddd, Ramos and Fiadeiro’s Deontic 
framework for Diagnosis of process Design [RF96b,RF96a]. They make a distinction 
between benevolent and exigent diagnoses, respectively minimal and maximal violated- 
norm sets (comparable to sets of broken components in Reiter’s theory). Moreover, they 
make a distinction between structural concepts and design actions. Their deontics-based 
diagnosis is based on a minimal deontic logic Ldd. The second extension of diOde 
is Tan and Van der Torre’s Diagnostic and DEcision-theoretic framework for DEontic 
reasoning diO(de)^. The most important element of (qualitative) decision theory in- 
corporated in diO(de)^ is - besides the violation-oriented reasoning of diOde - also 
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goal-oriented reasoning. Deontic-based diagnosis is based on the two-phase preference- 
based deontic logic 2dl. Two-phase reasoning illustrates the distinction between rea- 
soning about violated-norm sets and reasoning about diagnoses, i.e. minimal violated- 
norm sets. 

We identify several similarities between the two approaches ddd and diO(de)^. 
diOde defines minimal violated-norm sets, based on the basic distinction between vio- 
lated and non-violated norms. DDD defines also maximal violated-norm sets, based on 
the distinction between fulfilled and non-fulfilled norms. The exigent diagnosis corre- 
sponds to qualitative decision theory in the sense that exigent diagnosis not only reasons 
about the past (about incomplete knowledge) but also reasons about the future (design 
actions). For example, the distinction between structural concepts and design actions in 
DDD corresponds to the distinctionbetween parameters and decision variables in qualita- 
tive decision theory. The theory DDD is not only used for diagnosis, but for more general 
decision support. Moreover, we also observe several similarities in the logics Ldd and 
2dl like a contingency clause (the use of consistency checks) and lack of weakening of 
the consequent. 

The layout of this paper is as follows. In Section 2 we discuss Reiter’s theory of diag- 
nosis, the adaptation of that theory to deontic systems by using obligations to represent 
the ideal behavior of a system, and qualitative decision theory. In Section 3 we discuss 
the framework of Ramos and Fiadeiro, in Section 4 the framework of Tan and Van der 
Torre and in Section 5 we compare them. 

2 The role of deontic logic in diagnosis and qualitative decision 
theory 

Deontic logic formalizes reasoning about norms. Two important extensions of deontic 
logic that reason with norms are theory of diagnosis and qualitative decision theory. They 
are extensions in the sense that reasoning with norms uses a formalization of norms (al- 
though several aspects of norms may not be represented in a particular formalization 
of the norms). In this section we discuss the two theories that formalize reasoning with 
norms, and we observe a distinction in deontic logic analogous to the distinctionbetween 
diagnosis and decisions. 

2.1 Reiter’s theory of diagnosis and diOde 

The model based reasoning approach has been studied for several years (for a survey of 
the topic see [DW88]). Numerous applications have been built, most of all for diagnosis 
of physical devices. The basic paradigm is the interaction of prediction and observation. 
Predictions are expected outputs given the assumption that all the components are work- 
ing properly (i.e. are working according to the model of the structure and behavior of the 
system). If a discrepancy between the output of the system (given a particular input) and 
the prediction is found, the diagnosis procedure will search for defects in the components 
of the system (the correctness of the model is assumed). 

The contribution of Reiter to the theory of diagnosis is widely accepted. His consis- 
tency based approach [Rei87] is the first one to model the model based reasoning ap- 
proach to diagnosis. The main goal is to eliminate system inconsistency, identifying the 
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minimal set of abnormal components that is responsible for the inconsistency. That is, 
reasoning about diagnosis is based on the following assumption of diagnostic reasoning. 

Principle of parsimony Diagnostic reasoning is based on the conjecture that 

the set of faulty components is minimal (with respect to set inclusion). 

Related to a diagnosis is a set of measurements. Finally, a conflict set is a minimal set 
of components of which at least one is broken (such sets are used in efficient diagnostic 
algorithms). 

Definition 1. (Diagnosis) A system is a pair (COMP, so) where COMP, the system com- 
ponents, is a finite set of constants denoting the components of the system, and SD, the 
system description, is a set of first-order sentences. An observation of a system is a fi- 
nite set of first-order sentences. A system to be diagnosed, written as (COMP, sd, obs), 
is a system (COMP, so) with observation OBS. A diagnosis for (COMP, SD, OBS) is a 
minimal (with respect to set inclusion) set A C COMP such that 

CONTEXT^ = SD U OBS U {Ah{c) | c £ A} U {^Ah{c) I c e COMP - A} 
is consistent. A diagnosis A for (COMP, SD, OBS) predicts a measurement II iff 

CONTEXT^ ^ n 

A conflict set for a system to be diagnosed (COMP, SD, OBS) is a minimal (with respect 
to set inclusion) set A C comp such that context^ is inconsistent. 

The Diagnostic framework for DEontic reasoning DIOde formalizes deontic reason- 
ing as a kind of diagnostic reasoning. Notice that diOde is not a deontic logic (it does not 
describe which obligations follow from a set of obligations) and it should not be consid- 
ered as such. On the other hand, since diagnosis is about violations and deontic logic is 
exactly for situations where violations are important [JS92], it makes sense to have a de- 
ontic framework for diagnosis like diOde. The framework treats norms as components 
of a system to be diagnosed; hence the system description becomes a norms descrip- 
tion ND. We refer to the base logic of diOde as jCv, and the fragment of jCv without 
violation constants as C. We write \= for entailment m. Cy- The definition of minimal 
violated-norm set is analogous to the definition of diagnosis. Just as we can have multi- 
ple diagnoses with respect to the same (COMP, SD, OBS), we can have multiple minimal 
violated-norm sets A with respect to (norms, nd, facts). The fact that we can have 
more than one minimal violation state reflects that we can have different situations that 
are optimal, i.e. as ideal as possible. In Section 3 we present an example that illustrates 
deontic diagnosis in organization scenarios. 

Definition 2. (diOde) A normative system is a tuple NS = (NORMS, ND) with: 

1. NORMS, a finite set of constants denoting norms {rii, . . . , rik}, 

2. ND, the norms description, a set of first-order Cy sentences denoting obligations 

~^V [ui) — 7" (/3 — 7" a). 



A normative system to be diagnosed is a tuple NSD = (NORMS, ND, FACTS) with: 
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1. NS = (NORMS, nd), a normative system, and 

2. FACTS, a set of first-order C sentences that describe the facts. 

Let NSD = (norms, nd, facts) be a normative system to be diagnosed. A minimal 
violated-norm jet A of NSD is a minimal (with respect to set inclusion) subset of NORM S 
such that 

CONTEXT^ = ND U FACTS U {V {rii) \ rii £ A} U {^V{ni) \ rii £ NORMS - A} 

is consistent. The set of contextual obligations of a minimal violated-norm set A of a 
normative system to be diagnosed NSD is CO/\ = {a | a £ £, CONTEXT^ \= a}. 

Obligations are represented in diOde analogously to the way they are represented 
in Anderson’s reduction of so-called Standard Deontic Logic (SDL) to alethic modal 
logic. SDL is a normal modal system of type KD according to the Chellas classifica- 
tion [CheSO]. It satisfies, besides the propositional tautologies modus ponens and ne- 
cessitation, axiom K: 0(a -^ (]) ^ (Oa 0/3), which states that modus ponens 
holds within the scope of the modal operator, and axiom D:-i(OaAO-ia), which states 
that dilemmas are inconsistent. Anderson [And58] showed that SDL can be expressed 
in alethic modal logic by the translation Oa □(-iL — ;> a), in which V is the 
so-called violation constant (not a propositional variable!), together with the axiom D: 
(as usual, =a/ -'□-'«). In SDL, a conditional obligation can be represented 
by /3 — ;> Oa or by 0(j3 a). The latter is according to the Anderson schema similar 

to 0(/3 — ;> a) □(-iL ^ a)). In spite of the analogy in the way obliga- 

tions are represented, there are also two important distinctions between the representa- 
tion of obligations in diOde and Anderson’s reduction. First, in Anderson’s reduction 
every deontic formula is preceded by a box □. Semantically, in the theory of diagnosis 
distinct models represent distinct situations, whereas in a modal system distinct worlds 
within a model represent distinct situations. Second, in Anderson’s reduction there is 
only one violation constant. For a further discussion see [TvdT94a]. In spite of the anal- 
ogy in the representation of obligations in diOde and Anderson’s reduction, diOde is 
quite different from a deontic logic. On the one hand diOde is more than a deontic logic, 
because the parsimony principle adds the assumption that the set of violations of obliga- 
tions is minimal. This assumption is based on the idea that people tend to comply with 
norms, which is an empirical assumption about the behavior of people, and which has 
clearly nothing to do with the logic of norms itself. On the other hand one could argue 
that diOde is less than a deontic logic, because, if nd would be a deductively closed set 
of sentences, then the diOde counterpart of the formula p — ?> Op would be contained 
in every ND. Clearly, p — Op is not an intuitive deontic theorem, and the counterpart of 
this formula is also not valid in Anderson’s reduction due to his box operator. Although 
these counter-intuitive theorems do not occur in diOde, because nd is not deductively 
closed, we give another formulation at the end of this paper of diOde in the logic 2dl, 
which gives a better representation of the deontic logic component in diOde. 

2.2 Qualitative decision theory 

Boutilier [Bou94] develops a logic of qualitative decision theory in which the basic con- 
cept of interest is the notion of conditional preference. Boutilier writes I (a \ j3), read 
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“ideally a given /3,” to indicate that the truth of a is preferred, given [3. This holds ex- 
actly when a is true at each of the most preferred of those worlds satisfying /3. Boutilier 
remarks that from a practical point of view, I{a\/3) means that if the agent (only) knows 
a, and the truth of /3 is fixed (beyond his control), then the agent ought to ensure a. Oth- 
erwise, should -la come to pass, the agent will end up in a less than desirable /3-world. 
Boutilier mentions that the statement can be roughly interpreted as “if /3, do a.” More- 
over, Boutilier observes that the conditional logic of preferences he proposed is similar 
to the (purely semantic) proposal put forth by Hansson [Han? 1]. He concludes that ‘one 
may simply think of I{a \ /3) as expressing a conditional obligation to see to it that a 
holds if /3 does.’ Thomason and Horty [TH96] and Lang [Lan96] also observe the link 
with deontic logic when they develop the foundations for qualitative decision theory. 

Boutilier [Bou94] introduces a simple model of action and ability. The atomic propo- 
sitions are partitioned into controllable propositions, atoms over which the agent has di- 
rect infiuence, and uncontrollable propositions. He ignores the complexities required to 
deal with effects, preconditions and such, in order to focus attention on the structure and 
interaction of ability and goal determination. The consequence of this lack of an action 
model is that ‘we should think of a rule as an evidential rule rather than a causal rule.’ 
Moreover, Boutilier observes ‘the implicit temporal aspect here; propositions should be 
thought of as fluents. We can avoid an explicit temporal representation by assuming that 
preference is solely a function of the truth values of fiuents.’ Lang [Lan96] calls con- 
trollable and uncontrollable propositions respectively decision variables and parame- 
ters. Moreover, he argues that it is necessary to distinguish not only between desires 
(goals) and knowledge as in [Bou94] but also between background factual knowledge 
(which tells which worlds are physically impossible) and contingent knowledge (which 
tells which of the physically possible worlds can be the actual states of affairs). This last 
distinction was introduced in [vdT94]. 

The simplest definition of goals is in accordance with the general maxim ‘do the best 
thing possible consistent with your knowledge.’ Boutilier [Bou94] dubbed such goals 
CK goals because they seem correct when an agent has Complete Knowledge of the 
world (or at least of uncontrollable atoms). But Boutilier also shows that CK-goals do 
not always determine the best course of action if an agent’s knowledge is incomplete. 
For example, Wald’s criterion is a pessimistic strategy: maximize the minimum return 
(see e.g. [DP95,Lan96]). 

2.3 Context of justification versus context of deliberation 

The distinction between the perspective of a rational agent (qualitative decision theory) 
and a judge (theory of diagnosis) corresponds to Thomason’s distinction between the 
context of deliberation and the context of justification [Tho81]. Thomason distinguishes 
between two ways in which the truth values of deontic sentences are time-dependent. 
First, these values are time-dependent in the same, familiar way that the truth values of 
all tensed sentences are time-dependent. Second, their truth values are dependent of a set 
of choices or future options that varies as a function of time. If you think of deontic op- 
erators as analogous to quantifiers ranging over options, this dependency on context is a 
familiar phenomenon. Thus, the context of deliberation is the set of choices when you are 
looking for practical advice, whereas the context of justification is the set of choices for 
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someone who is judging you.* The following example discussed in [Han71] illustrates 
that it is important to discriminate between these two contexts, because a sentence can 
sometimes be interpreted differently in each of them. 

Example 3. Consider the obligation ‘you should not smoke if you smoke. ’ In the context 
of justification the obligation is interpreted as the identification of the fact that you are 
violating a rule, whereas in the context of deliberation, it is interpreted as the obligation 
to stop smoking. When the context is not known, it is also not known which of these 
two interpretations (or probably both) is meant. The two perspectives are represented in 
Figure 2. At the present moment in time, smoking (s) is true. The context of justification 
considers the moment before the truth value of s was settled, and considers whether at 
that moment in the past, -is was preferred over s. The context of deliberation considers 
the moment the truth value of s can be changed, and considers whether at that moment 
in the future, -is will be preferred over s. 







Q 


^ Context 

of 

deliberation 






A 


Stop smoking! 


Context 

of 

justification 








Smoking is a violation. 


__L_ 





' 

time 

Fig. 2. Contexts of nonnative reasoning 



The distinction between the two interpretations of the obligation ‘you should not 
smoke if you smoke’ is as important as the distinction between Alchourron-Gardenfors- 
Makinson belief revision (or theory revision) [AGM85] and Katsuno-Mendelzon belief 
update [KM92] in the area of logics of belief There is a strong analogy, because belief 
revision is reasoning about a non-changing world and update is reasoning about a chang- 
ing world. It follows directly from Figure 2 that a similar distinction is made between 
respectively the context of justification and the context of deliberation, because the past 
is fixed, whereas the future is wide open. 

* Thomason defines the context of justification in terms of the context of deliberation: at a certain 
point in time p is justification-obligatory iff at some earlier point in time p was deliberation- 
obligatory (in both cases p has the same time index). This is in our opinion too simple. We 
should make a distinction analogous to the distinction between revision and update to formalize 
it. 
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3 Diagnostic framework for process design 

The work of Ramos and Fiadeiro should be understood as a contribution to the more 
general purpose to build a formal framework to support organizational process design 
diagnosis according to predefined process design principles. By principles they mean 
general rules that characterize the ideal behavior of an organization. They are interested 
in forms of diagnoses that report violations of such principles. The architecture of their 
intended framework is represented in Figure 3 (taken from [RF96b]). 




Fig. 3. Architecture of Ramos and Fiadeiro ’s framework 



The user in Figure 3 represents both the designer and the person responsible for 
defining general principles. As represented in Figure 3, the user (supported by a dia- 
grammatic language) can describe the structure of the organization and design the pro- 
cess (process description). The diagnosis procedure uses that information, together with 
general organizational knowledge, to detect violations of the principles indicated by the 
organization (user). The translation from a diagrammatic language to a declarative for- 
mal language is necessary, because Ramos and Fiadeiro want to use logical deduction in 
the diagnosis procedure. The components of the process model are the following ones: 

Organizational strnctnre. The set of structural concepts that characterize an organi- 
zation, e.g. agents, tasks, hierarchies. These concepts are independent of the pro- 
cesses. They describe the fixed components over which the processes should ‘fiow’. 
The structural concepts represent what is fixed in the organization in the sense that 
it cannot be changed as a consequence of a process (re)design. 

Process description. The description of the process design, made with typical prim- 
itives used in organizational process like assign-task, output-to-task etc. Variable 
concepts are concepts that can be manipulated by the person that designs the pro- 
cess. They can be understood as ‘design actions’. 
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General organizational knowledge. Definitions (e.g. available, informed) and rules 
common to all organizations (e.g. if a task is assigned to a collective agent, all the 
members of the collective agent are assigned to that task). 

Principles. General rules that characterize the ideal behavior of an organization. Each 
organization decides which rules should be used. Usually the rules that guide the 
design are general rules. For example, ‘no employee can be assigned to a control 
task if the decision to control is assigned to an agent up in the hierarchy. ’ 

The following example of [RF96b] illustrates the design of an order delivering pro- 
cess, and is adapted from [CL92]. in Chen and Lee’s framework for the evaluation of 
internal accounting control procedures, the idea of having general principles guiding or- 
ganizational diagnosis is already present. However, this framework is not supported by 
a theory of diagnosis. For instance, it does not deal with either alternative or minimal 
diagnoses. 

Example 4. (Delivering order) To avoid frauds in organizational accounting procedures, 
some control rules are often used. In Figure 4, the process is designed in order to (par- 
tially) fulfill those rules (principles). The process is as follows. The stock manager re- 
ceives an order (from a salesman, for example), fills up an internal delivery order (IDO) 
and sends the IDO to agent 1 , assigned to the task of verifying the IDO. After receiving 
the same order the accounting department fills up the invoice and also sends it to agent 1 . 
Agent 1 checks if the values of the IDO and the invoice are the same, stores the invoice 
in the invoice file and sends the IDO to agent 2, assigned to the task of filling up the 
outgoing delivery order (ODO). After filling up the ODO agent 2 sends it to the client 
together with the goods. 




Fig. 4. Ideal order delivering process 




invoice file 



Agent 1 is involved in the process in order to avoid a potential fraud between the 
stock manager and the client, because agent 1 checks if the goods in the IDO matches 
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the values in the invoice. In the process design in Figure 4 one general rule, to ensure 
that the document is not manipulated by other agents, is fulfilled: ‘all documents must 
go straight to the control agent after they are created.’ Two other rules that apply to the 
process are ‘an agent should not control a superior in the hierarchy ’ and ‘ socially-close 
agents should not control each other.’ For example, the stock manager should not be a 
superior of agent 1 and agent 2 should not be socially-close to the stock manager. 

We give a simple formalization of this example in a propositional language, which 
suffices for our purpose of illustrating DDD. Instead of formalizing the three generic rules 
as first-order obligations, we formalize several consequences (instances) of these generic 
rules as propositional obligations. Let us assume the following organization structure: 
John, Ann and Phil are agents of the organization, Phil is socially-close to John and the 
stock manager is hierarchical superior than John. The obligations are (a) the output of the 
task verify-IDO must go to the task fill-up-ODO, (b) we must not assign Phil to the task 
fill-up-ODO, because socially close agents should not be involved in this process, (c) 
we must not assign John to the task verify-IDO, because one agent should not control a 
superior in the hierarchy, and (d) the output of the task fill-up-invoice must go to the task 
verify-IDO. Using the violation constants of diOde, we represent the four obligations 
by -iVi —7- a, - 1 V 2 —7- b, - 1 V 3 —7- c and ^¥4 — t- d, respectively. An instance of the 
general organisational knowledge is that if the output of task verify-IDO goes to fill- 
up-ODO and Phil is not assigned to fill-up-ODO, then Phil does not receive the ODO, 
which is represented by a A & — t- e. Finally, facts (design) are that Ann is agent 1 , Phil is 
agent 2, John is not assigned to the task verify-IDO and that Phil receives the ODO, i.e., 
c A -le. Notice that one of the first or second obligation is violated, the third obligation 
is fulfilled, and nothing is know about the fourth obligation. 

In the following section we show how we can reason about this delivering order ex- 
ample in the deontic framework for diagnosis of process design, based on Reiter ’s theory 
of diagnosis. 

3.1 DDD Deontic framework for diagnosis of (organizational) process design 

Minimal diagnoses have proven to be adequate for detecting violations of obligations. 
However, for the purpose of process design diagnosis, it is not sufficient to capture cases 
of unfulfilled obligations. This particularity of process design lead Ramos and Fiadeiro 
in [RF96b] to propose a more general diagnosis, one that distinguishes between poten- 
tial, benevolent and exigent diagnosis. The following example criticizes the principle of 
parsimony for organizational process design. 

Example 5. (Delivering order, continued) If it is important that the invoice goes straight 
to the task verify-IDO, then a design that does not commit itself with the output of the 
invoice must be avoided. Indeed, if the principle is not enforced, it is possible that, dur- 
ing the implementation of the process in the organization, the invoice goes straight to 
the invoice file. To avoid this undesired situation, the diagnosis should alert to the ‘in- 
completeness’ of the design. When it is important to ensure that all obligations are ful- 
filled, and not only detect violations of obligations, the principle of parsimony is much 
too benevolent (it is like the assumption of the fulfillment of obligations in the absence of 
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information). In that case an approach based only on minimal diagnosis is not adequate 
and an exigent diagnosis (where unfulfilled obligations are detected) is more suitable. 

In order to deal with diagnoses that are not minimal, Ramos and Fiadeiro extend the 
representation of obligations by assuming that norms are completely described. With 
this new approach, more useful information can be obtained for process design, keep- 
ing at the same time all the results of model based reasoning. When a set of norms is 
translated to ddd, the following two assumptions are made to incorporate fault knowl- 
edge. The underlying assumption of ‘innocent until proven guilty’ is not always the right 
one; sometimes ‘guilty until proven innocent’ is preferred. So-called fault knowledge 
(see e.g. [dKMR90]) describes the consequences of broken components, in general rep- 
resented by /3 A Ab{c) — 7. Hence, with fault knowledge from the abnormality of a 
component new information can be derived. If the rules from the system description SD 
are represented by /3 A ^Ab{c) — a, then there is no fault knowledge. In that case, the 
maximal diagnosis is simply the set of all components. Obviously, for any reasonable 
definition of a maximal diagnosis, fault knowledge has to be added. 

- Assumption 1 As a rule, each (conditional) obligation of a premise set corresponds 
to a separate norm. A set of obligations is translated to a set of norms. 

- Assumption 2 Every norm description completely describes an obligation. Thus, a 
conditional obligation ‘a should be the case if /3 is the case’ is represented in ddd 
by the norm description (n,) fT (/3 — t- a). The conditional obligation can be 
read in ddd as ‘if the norm rii is not violated, then and only then if /3 is the case 
then a is the case.’ The sentence is logically equivalent with V (n,) fT (-la A /3), 
which explains why V (rij ) is called a violation constant. 

Ramos and Fiadeiro propose the following deontic framework for diagnosis of (or- 
ganizational) process design ddd. They discriminate between minimal and maximal 
violated-norm sets. 

Definition 6. (ddd) A normative system is a DIOde tuple NS = (NORMS, ND) where 
tits norms description, is a set of obligations ^V{rii) (j3 ^ a). Let NSD = 
(NORMS, ND, FACTS) be a normative system to be diagnosed and context^ the con- 
text of a set of norms A C norms. A potential diagnosis A of NSD is a subset of 
NORMS such that CONTEXT^ is consistent. A benevolent (exigent) diagnosis A isamin- 
imal (maximal) subset (with respect to set inclusion) of norms such that context^ is 
consistent. The implicit violation set zT of NSD is a minimal subset (with respect to set 
inclusion) of NORMS such that CONTEXT^ is inconsistent. 

The set of potential diagnosis can be ordered by set inclusion, of which the benevo- 
lent and exigent diagnosis are respectively the lower and upper bounds. Diagnostic rea- 
soning is not restricted to the minimal elements of the graph, but to all elements. More- 
over, for the benevolent diagnosis we have the additional information supplied by the 
implicit obligation sets and the contextual obligations. This is illustrated by the exam- 
ple of the delivering order in DDD, see [RF96b] for a full discussion of this example in 
DDD.^ 

^ As remarked in [dKMR90], with the representation of fault knowledge it is no longer possible 
to compute all consistent sets of normal and abnormal components based on minimal diagno- 
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Example 7. (Delivering order, continued) Consider the following normative system: 

1. NORMS = {rii, ri 2 , ns, ^ 4 }, and 

2. ND = {“'C(ni) f- 7 > a, -iVln'j) fT b, fT c, ~^V (n^) fT d}. 

The set of potential diagnoses of facts = {aA&— t- e,cA-ie} is represented in Figure 5. 
We have facts \= ^a\/ and FACTS U ND ^ V (rii) V V (ns)- Moreover, we have 
FACTS U ND ^ “'C(ri 3 ). There is one exigent diagnosis, {V{ni), V{n 2 ), V{u 4 )}, and 
two benevolent diagnoses, {V{ni)} and {V (ns)}. The implicit violation set is the set 
{V{ni),V{n 2 )}, which means that either the first or the second norm has to be violated. 



{V1,V2,V3,V4} 





a. without fault knowledge 




{ 



b. with 1 



Fig. 5. Consistent sets of violations 



3.2 DDD^ Deontic framework for Diagnosis for process Design based on Deontic 
logic 

In [RF96a] Ramos and Fiadeiro show how a theory of diagnosis can use deontic logic. 
Ramos and Fiadeiro use dyadic deontic logic to represent conditional obligations.^ With 
the dyadic operator, Chisholm’s paradox for conditional obligations does not occur. The 
obligations O (a 1/3) are read as ‘a is obligatory in the context /3.’ They have the follow- 
ing desiderata for the dyadic logic. 

1. Conditional obligation, thus not O (a I /3) fA 0(/3 — a). For example, if there is 
a rule ‘if an order form is send to a supplier, then a copy of the order form should 
be send to the department store’ 0 (c|o) and neither c and o nor their negations can 
be derived, then an exigent diagnosis should not contain the violation of the obli- 
gation. The situation is avoided if we only consider violations of actual obligations 

sis: not all supersets of minimal sets are consistent. In Reiter’s minimal diagnosis that property 
holds. Indeed, in Figure 5.a, only the sets in italics are consistent if we adopt the complete de- 
scription of norms. 

^ A deontic logic describes besides obligations also permissions. However, the ‘organization’ 
does not say : you are permitted to do . . . ! That makes no sense in design. The diagnosis is 
not going to check if the permissions are ‘fulfilled’, because it is a designer problem. The de- 
signer is permitted to do anything except violating the mles. 




The Role of Diagnosis and Decision Theory in Normative Reasoning 229 



in a diagnosis, because with actual obligations, if o cannot be derived, then the vio- 
lation will never appear in a diagnosis. Thus a normal modal system like SDL and 
Anderson’s reduction to alethic modal logic is insufficient. 

2. Contraposition 0{a \ (3) fT 0(-'/3 | For example, if there is the rule 0{c \ o) 
and -ic can be derived and -lo cannot be derived, then an exigent diagnosis should 
contain the violation of the obligation. 

3. No weakening of the consequent. Consider the rule of inference RM : if h /3 — ;> a 
then Oj3 ^ Oa. Assume the following rule: if one agent sends a document to other, 
then the second receives the document. ’ Notice that A sending a document to B is 
more specific than B receiving it because it can be send by anyone. Furthermore, as- 
sume the obligation ‘Ann is obliged to send a budget to John ’ and the fact ‘Ann does 
not send the budget’ (thus John does not receive it). Given rule RM, the diagnosis 
will report two violations. However only one violation really occurs. Thus a nor- 
mal modal system like SDL and a non-normal modal system like Chellas minimal 
deontic logic are insufficient. 

4. Design action and context. Dyadic obligations O (a |/3) have two components. First, 
the design action (a) that indicates what the designer should do. Second, the context 
(P) that describes the situation in which the design action should be done. 

5 . No structural variables in the scope of the modal operator. It is assumed that it makes 
no sense to have obligations that oblige a process designer to act in the structure of 
the organisation. This is formalized by the contingency clause ^struct(a), as ex- 
plained below. It follows from that assumption that, whatever the context, any obli- 
gation where the action is represented by a structural concept is not valid. For ex- 
ample, the following rule ‘if the task approve-budget is assigned to John, then John 
must be the Head of Department (HD)’ 0(h\a) is not valid because John being or 
not being the HD is not an design action (it is a part of the structure of the organisa- 
tion). The rule should be: ‘if John is not the HD, then he cannot be assigned to the 
task approve-budgef 0{-<a \ -<h). 

Ramos and Fiadeiro make a distinction between structural and action variables (4). 
The basic idea is the following, inspired by Castaneda’s distinction between assertions 
and actions [Cas81]. The modal language of deontic logic gives us the opportunity - 
not present in Reiter’s first order theory of diagnosis - to distinguish between structural 
variables which are fixed within a model, and variables which are allowed to vary within 
the model. For a structural variable p, we have Dp V D-ip. Hence, we have p — ?> Dp: if 
the structural variable is true in the actual world, it is true in all worlds. Notice that Dp 
should be read as p is a structural concept, not as p is necessarily true (as in Anderson’s 
proposal). Moreover, they restrict the scope of the deontic operator to action variables 
(5). Hence, we add the clause ^struct(a) to an obligation for a. This is a formalization 
of von Wright’s contingency principle, because we have Op — t- ()^p and Op — t- ()p. 
The contingency clause ^struct(a) is a kind of consistency check. Von Wright remarks 
that ‘the last may be regarded as a version of the principle, commonly associated with 
the name of Kant, that ‘Ought implies (entails) Can’ [vW71, p.l63]. 

In [RF96a] the following logic Ldd is proposed. It is defined in terms of a monadic 
minimal modal logic, and thereby we have trivially soundness and completeness of the 
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logic. The modal operator / is a technical trick to avoid the problems of Chellas’ standard 
modal operators. The interested reader is referred to [RF 96 a] for further details."* 

Definition 8. (Ldd) Consider a bimodal logic with □ and I. The logic is the smallest 
set of formula that contains the propositional tautologies and the following axioms and 
is closed under the following rules of inference. 
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RE: 



^P,CX 



±l 

hDa 

Qfl ■H-Qf2 
/cti 



K: □(/3 ^ a) ^ {D/3 Da) 

T: Oa a 



^/T 



EUci — )■ Id 



The logic Ldd is extension of the bimodal logic with the following definitions. 

struct(a) Da V Q-ia 

0(a\j3) I(j3 fT a) A -i/(-ia A /3) A ^siruci(a) 

Definition 9. (Semantics Ldd) Kripke models M = (TL, Ri, R 2 , V) for Ldd consist 
ofTL a set of worlds, Ri{w,w') abinaryrefiexiveaccessibilityrelation, i?2(w, FLO an 
accessibility relation that gives a nonempty set of sets of worlds (7^ W) for each world 
(we write either Ri{w, w') and R2{w, W), or w' £ Ri{w) and W C R2{w)), such 
that for all W C R2{w) we have W C Ri{w), and V a valuation function for the 
propositions in the worlds. We have: 

M, w ^ Dp iff for all w' such that Ri [w, w') we have M, w' \= p 

M,w \= Ip iff 3 TL' such that R2{w, W) and W = {w' e Ri{w) \ M,w' \= p}. 

The logic is not closed under conjunction, weakening of the consequent, etc. The 
following proposition shows that Ldd has the desired properties. 

Proposition 10. The logic Ldd validates the following theorems. 

-0(T|/3) 

- 0 (L|/ 3 ) 

{P A struct{p) A 0{a\l3)) 0(a|T) 

(struct(a2) A 0(ai A a2|/?)) — 0(ai\j3) 

{^.struct(p) A 0{a\p)) 0{^j3pa) 

The logic Ldd does not validate the following theorem (the first desideratum of the 
list at the beginning of this section). 

"* In this paper, we have simplified the formalization. In [RF96a], the dyadic operator is defined 
directly in the semantics: 0(a | /3) is tme iff in all ideal designs a ^ P and in ideal designs it 
is not the case that /3 A -<a. 
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{-^struct{p a) t\ 0{a\l3)) 0{j3 — ?> a|T) 

Proof The two theorems ->0{T \ [3) and ->0{1- \ [3) follow directly from -istruct(a). 
((] A struct(p) A 0{a\(3)) 0{a\T) and [strucpa-z) A 0{ai A a 2 |/ 3 )) — )■ 0{ai\(3) 

follow from a /\ struct[a) □«. The theorem [-<struct[j3) /\0{a\[3)) 0(-i/3|-ia) 

follows from (I(j3 fA a) A -i/(-ia A /3)) — ?> (/(“'« AA -i/3) A ^I(~^^j3 A “’«)). /^or 
a countermodel of {-<struct[j3 a) /\ 0{a \ /3)) 0{j3 a \ T), consider the set 

W = {wo, W 2 , u) 3 , wp with wi = {-la, -i&}; W 2 = {a, &}; ^3 = {“'a, &}; W 4 = 
{a, -!&}, i?i(wo, Wi); -Ri(wo, W 2 ); -Ri(wo, W 3 ); -Ri(wo, W 4 ); -^ 2 (^ 0 , {wi, W 2 }). Given 
the set W we have M, wq ^ /(a aa &) because W = {wi, W 2 }, we have M, wq ^ 
I{-<aAh) because we do not have R 2 {w(i, { 11 ) 3 }), and we have M ,W(i ^ 7((6 — ^ a) aa 
T) because we do not have R 2 {wo, {wi, W 2 , wp). 

The logic Ldd is used for deontics-based diagnosis.^ 

Definition 11. (Deontics-based diagnosis) An obligation system is given by a tuple OS 
= (OBL, STRUCT) with: 

1. OBL, a finite set of modal sentences denoting conditional obligations 0{a\j3), 

2. STRUCT, a set of expressions denoting which variables are structural Dp V D-ip. 

An obligation system to be diagnosed is a tuple OSD = (obl, struct, facts) with: 

1. OS = (OBL, STRUCT), an obligation system, and 

2. FACTS, a finite set of propositional sentences. 

The actual obligation set AO is the set of obligations (without logical equivalents): 

AO = {OaU I OBL U FACTS U STRUCT ^ 0{a\l3) A /3} 

A potential diagnosis A is a subset of the actual obligation set AO such that 
CONTEXT^! = OBL U FACTS U STRUCT U {^a \ OaCt £ A} U {a | OaCt £ AO - A} 
is consistent. 

Deontics-based diagnosis is illustrated by the following example. 

Example 12. (Delivering order, continued) Consider the following additional rule to 
the initial example in Example 4: ’if an ODO is sent to a client, a copy of the ODO 
should be sent to the department store’ {0[g \ /)). Since the condition of the obliga- 
tion does not hold (it is not ‘designed’ yet), there is no actual obligation of g (send a 
copy of ODO to the department store). Consider the following obligation system to be 
diagnosed OSD=(obl, struct, facts) with 

1. OBL = {0(a|T), 0(&|T), 0(c|T), 0(d|T), 0(5|/)}, 

2. STRUCT = 0, 

3. FACTS = {a A & e, c A -le}. 

The actual obligation set is AO = {OaU, OaC, Oad} and the set of potential diag- 
noses is similar to the previous representation in DDD in Example 7. 

^ We have simplified the deontics-based diagnosis a bit. The obligation system that consists of 
the single obligation 0(a|6) and facts b A will report that a is a violation. But in [RF96a] 
the user is informed that if he changes b to ~^b, then the violation will disappear. 
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4 Diagnostic and decision-theoretic framework 

The work of Tan and Van der Torre should be understood as a contribution to a more gen- 
eral purpose to build a formal framework to support drafting of bureaucratic procedures, 
in particular international trade procedures [BLWW95]. For example, in [RTvdT96] it 
is shown how to extend the Petri net formalism to represent different types of behavior, 
in particular normative behavior. This extension is motivated by the use of Petri nets 
to model bureaucratic procedures, which contain normative aspects like obligations and 
permissions. It is important that violations of obligations, i.e. sub-ideal states, are rep- 
resented explicitly in the modeling of procedures, because in most procedures it is de- 
scribed explicitly what is considered as ill-behavior, and how this will be punished (the 
corresponding sanction). However, the representation of violations and sub-ideal behav- 
ior in Petri nets is not very satisfactory, see [RTvdT96]. The modeling of violations of 
bureaucratic procedures explains Tan and Van der Torre’s interest in theories of diagno- 
sis. 

4.1 diOde with applicable norms 

In diOde, there is no distinctionbetween fulfilling a dyadic obligation, and inapplicabil- 
ity of a dyadic obligation. For example, for O (a |/3) wehave-iV(n) fT (/3 — t- a), which 
is logically equivalent with -iV(n) fT (-i/3 V (/3 A a)). A solutionis to add applicability 
information. For example, for O (a 1/3) wehave-iV(n) fT (/3 — ;> a)AA{n) fT /3. Thus, 
the underlying logic is extended with an applicability predicate similar to the violation 
predicate. Now, first we determine the applicable obligations by minimizing the A(n). 
Secondly, for applicable obligations we can have minimal or maximal sets. 

Definition 13. (diOde with applicable norms) A normative system is a diOde tuple 
NS = (norms, ND) where ND, the norms description, is a set of conditional obligations 

- 1 V [rii) fT (/3 — !> a) A A[n) fT /3 

Let NSD = (norms, ND, FACTS) be a normative system to be diagnosed. The active 
norms Aa of NSD is a minimal subset of NORMS such that 

ND U FACTS U {A{ni) I rii £ Aa} U {-iA(rii) | n,- £ NORMS - Aa] 

is consistent. A potential diagnosis A of NSD is a subset of some Aa of NSD such that 

CONTEXT^ = ND U FACTS U {V (rii) \ rii £ Aa} U {^V (rii) I Hi e Aa - A} 

is consistent. 

The following example illustrates the adaptation of diOde. 

Example 1 4. Consider the normative system of the obligation O ( c | o) . 

1. NORMS = {«i}, 

2. ND = {(-iV(rii) fA (o c)) A (A(rii) fA o)}. 
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The set of aetive norms Aa is empty for FACTS = 0, thus there is no potential diagnosis 
whieh eontains the norm rii. In partieular, the only exigent diagnosis is the empty set. 
Moreover, consider the following normative system of the two obligations 0(pi |g) and 
0 (R 2 hg). 

1. NORMS = {«!, U 2 }, 

o ^ (9 ^Ri)) A (A(rii) fA g), 

^ fA H ^ P 2 )) A (A(n,) fA -g)} ’ 

Given the tautology q\/^q,'we have for facts = 0 two minimal aetive sets Aa = {ui } 
and A a = {ri 2 }.F inally, consider the following normative system of the two obligations 
0{p\q) and 0(g|T). 

1. NORMS = {«!, U 2 }, 

2. ND = { (^V(ni) fA (g p)) A (A(rii) fA g), (^V(n 2 ) AA g) A {A{n 2 ) AA T)}. 
The minimal active set for FACTS = {~'p} is Aa = {u 2 }- 

4.2 diO(de)^ 

A theory of diagnosis like diOde is based on the distinction between violated and non- 
violated, and a (qualitative) decision theory is based on the distinction between fulfilled 
and non-fulfilled. diO(de)^ is short for the Diagnostic and DEcision-theoretic frame- 
work for DEontic reasoning. It combines reasoning about violated and fulfilled norms. 
Hence, it combines reasoning about the past (violated versus non-violated) with rea- 
soning about the future (already fulfilled versus not yet fulfilled). As illustrated in Fig- 
ure 1, diO(de)^ combines the reasoning of a judge with reasoning of a rational agent. 
diO(de)^ is the extension of diOde with ( 1 ) goal oriented reasoning, (2) distinction be- 
tween parameters and decision variables and (3) addition of uncertainty and strategies. 
Here, we restrict ourselves to the first item. Technically, it has fulfilled-norm constants 
{F). In the following definition of DIO(de)^, for an obligation O (a |/3) we have besides 
AA (/3 — 7- a) also F{n) AA (/3 A a). We minimize the applicable norms by 
minimizing the relation (A/, At,) < (A),, A),). 

Definition 15. (diO(de)^) A normative system is a DIOde tuple NS = (NORMS, ND) 
where ND, the norms description, is a set of conditional obligations represented by the 
formula AA (/3 a) A F(n) AA (/3 A a). Let NSD = (NORMS, ND, FACTS) be 
a normative system to be diagnosed. Afulfilled-violated set {Af,Ay) of nsd is a pair 
of subsets of norms such that 

CONTEXT^ = ND U FACTS U{L(rit) | n,- £ At,} U {-'Ljn,) | n,- £ NORMS - At,} 

U{L(ni) I rii e A/} U {^F{ni) \ m £ NORMS - A/} 

is consistent. Let < be the ordering on fulfilled- violated sets {Af,Ay) < (A} , A}) iff 
Af C A'j and At, C A[. A potential diagnosis {A f , A^) ofNSD is a pair of subsets of 
NORMS that is minimal in the ordering <. 

The following example illustrates the adaptation of diO(de)^ and compares it with 
diOde with applicable norms. 
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Example 1 6. Consider the following normative system of the obligation O ( c | o) . 

1. NORMS = {ni}, 

2. ND = {(-iC(rii) fT (o — ;> c)) A {F{ni) fA (c A o))} 

The unique potential diagnosis for FACTS = 0 is (zT/, zTt,) = (0, 0). In diOde with 
applicable norms, the set of active norms Aa is empty for facts = 0. Hence, the two 
systems behave similarly. Moreover, consider the following normative system of the two 
obligations 0(pi I g) and 0 (p 2 |~'g)- 

1. NORMS = {«!, U 2 }, 

9 ™ ^ r hV(ni) fA (g ^ Pi)) A (H(m) aa (pi A g)), 

^ (-.H(ri 2 ) AA (-ig P 2 )) A (F(n 2 ) AA (p 2 A -■g))}' 

The potential diagnoses {Af, Ay) forFACTS =0 are ({ui}, 0), ({U 2 }, 0), (0, {«i}) and 
(0, {« 2 })- In diOde with applicable norms, we have for facts = 0 two minimal ac- 
tive sets A a = {ui} and A a = {u 2 }- Hence, the two systems behave again similarly. 
Finally, consider the following normative system of the two obligations 0{p \ g) and 
0(g|T). 

1. NORMS = {«!, U 2 }, 

2. ND = { (-.H(rii) AA (g p)) A (H(rii) AA (p A g)), {^V{n 2 ) AA g) A (H(ri 2 ) AA g)}. 

The potential diagnoses forFACTS = {~'p} are {Af, Ay) = (0, {^ 2 }) and {Af, Ay) = 
({u 2 },{ui}) - In diOde with applicable norms, the minimal active set for facts = { -ip} 
iszTa = {ri 2 }.Thetwo systems do not behave similarly, because inDiO(DE)^ it is pos- 
sible that the first obligation is violated. 

There is an interesting connection between the latter set of obligations of Example 1 6 
and deontic detachment (or transitivity) 0{a \ (]) A 0(/3 | 7 ) -I- 0{a \ 7 ). With deon- 
tic detachment we can derive the obligation 0{p \ T) from the two premises 0(p | g) 
and 0(g | T). Thus, if deontic detachment is valid, then the fact -ip is a violation. In 
diOde, there is only one active set, that contains the second obligation. It is possible 
that this obligation is fulfilled, and there are therefore no violations. On the other hand, 
in diO(de)^ every potential diagnosis contains violations. 

4.3 The two-phase deontic logic 2dl 

The two-phase preference-based deontic logic 2dl [TvdT96,vdTT97b] can be used to 
make the comparison between diO(de)^ and classical deontic logics. In the modal pref- 
erence semantics of 2dl, the accessibility relation is interpreted as a preference relation. 

For example, wi < W 2 has to be read as ‘world wi is at least as preferable as world W 2 .’ 

It is a well-known problem from preference logics that we cannot define an obligation 
Op as a strict preference of p over -ip, because two obligations Opi and Op 2 would 
conflict for pi A -ip 2 and -ipi A p 2 . This motivates the following weaker definition: an 
obligation p is the absence of a preference of -ip overp, see [TvdT96,vdTT97b]. 

Definition 17. (2dl) AKripkemodelM = {W, <, V) consists ofFF, a set of worlds, < 
a binary transitive and reflexive accessibility relation interpreted as a preference relation, 
and V, a valuation of the propositions at the worlds. We have M ^ 0{a\j3) iff 
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1. for all w and w' such that M, w \= a A /3 and M, w' |= -la A /3, we have w' ^ w, 
and 

2. there are such worlds w and w' . 

diO(de)^ corresponds to deontics-based diagnosis based on the modal logic 2dl. 
That is, diO(de)^ corresponds to deontics-based diagnosis in Definition 11 in the pre- 
vious section, where the logic Ldd is replaced by 2dl. The correspondence follows di- 
rectly from the preference-based semantics. An obligation 0(a \ /3) in diO(de)^ is a 
preference of a A /3 (fulfilled norm) over -la A /3 (violated norm). This preference is 
defined in two steps: in the base language the fulfilled and violated norm constants are 
defined, and in the definition of potential diagnosis the set of applicable norms is mini- 
mized. In 2dl, the preference is not represented by fulfilled and violated norm constants, 
but defined directly in the preferential semantics. With other words, diO(de)^ is the de- 
ontic logic 2dl in which certain aspects (fulfillments and violations) are made explicit 
with the use of a naming convention, i.e. to use names rii to denote norms. 

5 Comparison 

The similarity between the two approaches ddd and diO(de)^ presented in this paper 
is that exigent diagnosis is like reasoning about goals. Moreover, there are several tech- 
nical similarities between the logics Ldd and 2dl like the use of a contingency clause 
(consistency checks) and lack of weakening of the consequent. 

5.1 Exigent diagnosis and goal oriented reasoning 

The main similarity between DDD and diO(de)^ is that both are extensions of diOde 
with concepts of qualitative decision theory. The extended diagnostic framework ddd 
can be considered as a kind of qualitative decision framework for the following reason. 
The exigent diagnosis of ddd reports norms not yet fulfilled. Hence, it reports norms that 
should be fulfilled in the future. These norms are the goals in decision theory, which are 
represented by F predicates in diO(de)^. 

We can discriminate two phases in ddd and diO(de)^ . The first phase reasons about 
all potential diagnosis and the second phase only about benevolent or exigent diagnoses. 
This is in accordance with the argumentation in [TvdT96] about the two-phase treatment 
of violated obligations. Moreover, Lang [Lan96] observes that his methodology in an 
alternative approach to qualitative decision theory contains two phases. First generate 
the preference relation from a set of desires, and then find the optimal feasible worlds, 
and thus the optimal decision. 

5.2 Properties of the logics Ldd and 2dl 

There are two important similarities between the logics Ldd and 2dl, contingency clause 
(consistency checks in the definition of obligation) and most importantly the lack of 
weakening of the consequent. In this paper, we argued that these properties are essen- 
tial for diagnosis. In [TvdT96] it is shown that these properties are essential to solve the 
notorious contrary-to-duty paradoxes of deontic logic. 
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Contingency clanse Von Wright introduced the contingeney elause, beeause he wanted 
to formalize a deontic logic based on a theory of conditions: ‘to say that something ought 
to be, or ought to be done, is to state that the being or doing of this thing is a neeessary 
eondition (requirement) of something else’ [vW7 1 ] . In DDD the eontingeney elause is in- 
troduced, because the consequent is restrieted to design aetions. In 2dl we have the the- 
orems 0{a\j3) (){a A /3) and 0{a\j3) 0(“'a A (3). These consisteney ehecks were 

introdueed, because they are neeessary to solve the notorious contrary-to-duty paradoxes 
like the Forrester and Chisholm paradoxes. 

A distinetion is that in 2dl we have 0{a\/3) 0(a A /3) whereas in Ldd we only 

have 0{a\j3) ()a. Notiee that in Ldd obligations of type 0{p\l) ean be valid. Even 

if an obligation ean never be violated in a model (the condition never holds), there are 
situations where the obligation should hold. Consider the following example: all sales- 
man responsible for at least one region must participate in the preparation of the annual 
budget. It eould be the ease that, in a partieular moment (i.e., in a model, if we eonsider 
that been responsible for a region is a struetural concept), there are no salesmen respon- 
sible for regions (due, for example, to a ungoing reorganisation), i.e., the obligation is 
always fulfilled. However, since this is a temporary situation, the organization could be 
interested in keeping the rule (in order to avoid the neeessity to ehange the normative 
systems when the strueture ehanges). 



Lack of weakening of the conseqnent Lack of weakening of Ldd is a desirable prop- 
erty in DDD^, because it avoids too many violations as diseussed in Seetion 3.2. Laek 
of weakening is used in 2dl because of the etd paradoxes. Lack of weakening of the 
eonsequent is a well-known theme in deontie logie. Ross, who gave the following coun- 
terintuitive example of weakening of the consequent, called the Ross paradox: ‘if you 
should mail the letter, then you should mail or bum the letter’ [Ros41]. A similar SDL 
theorem has been questioned by Von Wright. He observed that ‘in a deontie logie whieh 
rejeets the implieation from left to right in the equivalenee 0{pAq) fA {Op A Oq) while 
retaining the implication from right to left, the paradoxes would not appear’ [vW 8 1 , p.7] . 
Beatty [Bea73] suggests that ‘deseriptive sentenees’ do not have elosure under logieal 
implication. Jennings [Jen85] observes that ‘It has been suggested that a unary operator 
O capable of bearing a deontic interpretation might be defined in a logie of preference 
by Oa aP^a \ and that ‘if the preferenee logic has the natural distributive proper- 
ties as von Wright advocates, the defined deontic necessity will be nonmonotonie’ (i.e. 
does not have weakening). 



Fulfilled goals and violations in Ldd Reconsider the definition of obligation in Ldd 
0{a\/3) I{/3 fA a) A -i/(-ia A /3) A -^struct{a). The following definition diserim- 

inates between violations and fulfillments of this definition of obligations in the deontic 
logic Ldd. 



Definition 18. (Ldd) The logic Ldd is a minimal deontic logic as defined in Defini- 
tion 9, extended with the following definitions. 
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struct(a) □« V Q-ia 

F[a\j3) I[a fT j3) 

V{a\l3) a) 

0{a\j3) F{a\j3) A V{a\j3) A -^struct(a) 

Observe that (a ^ j3) ^ ((aA/3)V(-iaA-'/3)).InDlO(DE)^ only a A /3 corresponds 
to a fulfilled goal, in Ldd also ~^a A -i/3. The intuition of the bi-implication in Ldd is 
as follows. In conditional obligations, ideally, if the condition is true, the action must be 
performed (and the condition cannot be true if the action is not performed). A situation 
where the condition is true and the action is not performed, is not an ideal one. Situations 
where the condition is false, and the action is performed, are not in the scope of truth in 
conditional obligations. We can analyze properties of the logic Ldd by analyzing the 
properties of the definitions F and V. For example: 

F[a\(3) fA F {—<(3\—<a) V{a\(3) fA V {—<j3\—<a) 

L(a|/3) AA L(/3|a) L(a|/3) aa L(/3 ^ a|T) 

F[a\(3) AA F{-^a\(3) 

L(a|/3) AA f \ i 3 aa a|T) 

6 Conclusions 

Classical approaches to a theory of diagnosis are based only on minimal diagnoses, and 
as a consequence they are not suitable to support decision-making processes. That limi- 
tation of classical approaches becomes more relevant when diagnosis is used in the con- 
text of a design support framework. In this paper two distinct non-classical diagnosis 
approaches have been presented, ddd and diO(de)^ , both supporting the design of pro- 
cedures/ process in organizations. Both are extensions of diOde, a deontic version of 
classical diagnoses. 

Ldd and 2dl are two deontic logics that have been introduced in a theory of diagno- 
sis. Both languages presented are based on propositional logic. We are aware that this is a 
simplification of the real process/ procedures diagnosis. Usually the rules that guide de- 
signs are generic ones, which have to be expressed in first-order logic. It is necessary to 
extend the languages in order to capture those generic rules (see also [CL92]). Conflict- 
ing obligations is also a subj ect that it is important to consider in a framework that aims to 
help a designer. Not only because conflicting sometimes occur in organizations, but also 
due to alternative diagnoses. It is important to find a useful way to help the designer to 
deal with alternative choices. Conflict resolution strategies from defeasible deontic logic 
could be a possible answer, see [vdTT95,vdTT97a]. Castaneda’s proposal [Cas81] for 
handling conflicting obligations is another possible approach. 
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Abstract. In this article we propose contextual deontic logic. Contex- 
tual obligations are written as 0(a | f3\^), and are to be read as ‘a 
should be the case if f3 is the case, unless 7 is the case’. The unless clause 
is analogous to the justification in Reiter’s default rules. We show how 
contextual obligations can be used to solve certain aspects of contrary- 
to-duty paradoxes of dyadic deontic logic. 



1 Contrary-to-Duty Reasoning 

In recent years several researchers have argued that deontic logic is a useful tool 
to model reasoning in (legal) knowledge-based systems 
[JS92,RL92,Smi94,Roy96]. The problem, however, is that deontic logic is ham- 
pered by the so-called deontic paradoxes. The contrary-to-duty paradoxes like 
the notorious Chisholm paradox are the classic benchmark problems of deontic 
logics, which have initiated developments of monadic deontic logics [Chi63,For84] , 
dyadic deontic logics [TomSl] and temporal deontic logics [vE82]. In this article 
we analyze certain aspects of the paradoxes in dyadic deontic logics, in which an 
obligation 0{a\f3) is read as ‘a should be the case if j3 is the case.’ An obligation 
0{a\(3) is a contrary-to-duty obligation of the primary obligation 0(ai \(3i) if 
and only if /3 A oi is inconsistent, as represented in Figure 1. 



0(ai|di) 



inconsistent 



\ 



0(a\P) 



Fig. 1. 0{a\(}) is a contrary-to-duty obligation of 0{ai\f3\) 



The following example illustrates that the derivation of the dyadic obligation 
0(ai|^a2) from the obligation 0{ai A Of 2 |T) is a fundamental problem under- 
lying several contrary-to-duty paradoxes. Hence, the underlying problem of the 
contrary-to-duty paradoxes is that a contrary-to-duty obligation can be derived 
from its primary obligation. 
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Example 1. (Contrary-to-Duty Paradoxes) Assume a dyadic deontic logic 
that validates at least substitution of logical equivalents and the following (in- 
tuitively^ valid) inference patterns Restricted Strengthening of the Antecedent 
(rsa), Weakening of the Consequent (wc), Conjunction (and) and a version of 
Deontic Detachment (dd'), in which Ois a modal operator (that will be explained 
later) and 0(j) is true for all consistent propositional formulas (f>. 

0(a|/3i), 0(a A /3i A /?2) 0{ai\(3) 

' 0(a|A A /?2) ' 0(aiV 021/3) 

0(ai|/3),0(o2|/3) , 0(g|/3),0(/3|7) 

■ 0(aiAo2|/3) ■ 0(oA/3|7) 

Furthermore, consider the sets 

S = {0{^k[T),0{gAk\k)} 

S' = {0{a\T),0{t\a),0{^t\-^a)} 

S" = {0(-a|T), 0{a V p\T),0{^p\a)} 

where T stands for any tautology. S formalizes the Forrester paradox [For84] 
when k is read as ‘killing someone’ and g A k as ‘killing someone gently,’ S' 
formalizes the Chisholm paradox [Chi63] when a is read as ‘a certain man going 
to the assistance of his neighbors’ and t as ‘the man telling his neighbors that he 
will come,’^ and finally, S" formalizes the apples-and-pears example [TvdT96] 
when a is read as ‘buying apples’ and p as ‘buying pears.’ The last obligation of 
each premise set is a contrary-to-duty obligation of the first obligation of the set, 
because its antecedent is contradictory with the consequent of the latter. The 
paradoxical consequences of the sets of obligations are represented in Figure 2. 
The underlying problem of the counterintuitive derivations is the derivation of 
the obligation 0(ai|^O2) from O(oi A 02 |T) by wc and RSA: respectively the 
derivation of 0{~^{g A k)\k) from 0(^fc|T), 0(t|^a) from 0(a A t|T), and 0{p\a) 
from 0{^a A _p|T). 

^ For example, we would like to use streugthening of the autecedent to derive ‘you 
should uot kill in the morning’ from ‘you should not kill,’ and weakening of the 
consequent to derive ‘you should not kill’ from ‘you should not kill and drive on the 
right side of the street.’ However, besides problems created by contrary-to-duty rea- 
soning there are also problems related to dilemma reasoning. For example, one may 
argue that the derivation of 0(p|-i(p A q)) from the set (0(p|T), 0(g|T)} is coun- 
terintuitive. This could be an argument saying that strengthening of the antecedent 
is counterintuitive. We argued in [TvdT96,vdTT97b] that these dilemma problems 
should be analyzed separately from contrary-to-duty problems. In this paper, we 
only analyze so-called minimal deontic logics in which dilemmas are consistent. For 
the formalization of the no-dilemma assumption, see [TvdT96,vdTT97b]. 

^ The original Chisholm set also contains the fact that the man does not go to the assis- 
tance. However, the addition of this fact does not have any consequences, because we 
do not derive monadic obligations from dyadic ones (so-called factual detachment). 
We do not accept factual detachment, because it results in so-called pragmatic odd- 
ities, see [PS94]. 
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O(-ifclT) 

wc 

Oh(ffAfc)IT) 

RSA 

0(-^(g A k)\k) 0(g A k\k) 

0{-n{gAk) A (gAk)\k) 



0{t\a) 0(a|T) 



0{a A t|T) 
0{t\T) 



DD 



0(-.a|T) 0(a Vp|T) 



0(t|“ia) 



wc 

RSA 



0(-ia A p|T) 



AND 






0{t A “itl—ia) 



AND 



ojpW 

0{p\c 



wc 



RSA 



0(^p|c 



0{p A ~'p\a) 



AND 



Fig. 2. Three contrary-to-duty paradoxes 



There are two types of dyadic deontic logics, dependent on how the an- 
tecedent is interpreted. The first type, as advocated by Chellas [Che74,Alc93], de- 
fines a dyadic obligation in terms of a monadic obligation by O{a\0) =^ 6 / (3 > Oa, 
where ‘>’ is a strict implication. These dyadic deontic logics have strengthen- 
ing of the antecedent, but they cannot represent the contrary-to-duty paradoxes 
in a consistent way. Dyadic deontic logics of the second type, as introduced 
by Hansson [Han71] and further investigated by Lewis [Lew74], do not have 
strengthening of the antecedent and therefore they can represent the paradoxes. 
Intuitively, the solution of these logics is that the antecedent of the dyadic obliga- 
tions is interpreted as a kind of ‘context’. For example, in the Forrester paradox 
the derivation of the obligation 0{^{g A fc) | fc) from 0{~^k \ T) is counterintu- 
itive, because in the context where you kill, it is not obligatory not to kill gently 
(whereas this is obligatory in the most general context). Because there are many 
different problems related to the Forrester and Chisholm paradoxes, we restrict 
our analysis to the apples-and-pears example. In the contextual interpretation 
of the apples-and-pears example, the derivation of the obligation 0{p\a) from 
0(^a|T) and 0(aVp|T) is counterintuitive, because in the context where apples 
are bought, it is not obligatory to buy pears (whereas this is obligatory in the 
most general context). 

In this paper, we propose a solution for the paradoxes based on contextual 
obligations. A contextual obligation, written as 0 (a|/ 3 \ 7 ), is an extension of 
a dyadic obligation 0{a\(}) with an unless clause 7 . The unless clause can be 
compared to the justification in a Reiter default ‘a is normally the case if (3 is 
the case unless 7 is the case,’ written as (3 : ^ 7 /a [ReiSO]. For example, ‘birds fly 
unless they are penguins’ can be represented by b : ^p/ f, and ‘penguins do not 
fly’ by (bAp) : T /^/. Hence, the unless clause is analogous to the justification 
of a Reiter default, which means that it formalizes a kind of consistency check. 

This paper is organized as follows. In Section 2 we give the solution of the 
apples-and-pears problem in labeled deontic logic Ldl. In Section 3 we introduce 
contextual obligations 0 (a|/ 3 \ 7 ), and we show how they solve the apples-and- 
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pears problem. Finally, in Section 4 we mention some interesting connections 
with logics of defeasible reasoning and qualitative decision theory. 

2 Labeled Obligations 

In [vdTT95] we introduced labeled deontic logic Ldl, a logic inspired by contex- 
tual logic [BT96]. Labeled obligations 0(a|/3)i can roughly be read as ‘a ought 
to be the case, if (D is the case, because of L.’ 

2.1 Implicit and Explicit Obligations 

To illustrate the distinction between implicit and explicit obligations, we recall 
the well-known distinction between implicit and explicit knowledge. The latter 
distinction originates in the logical omniscience problem: in principle, an agent 
cannot know all logical consequences of his knowledge. The benchmark example 
is that knowledge of the laws of mathematics does not imply knowledge of the 
theorem of Fermat. That is, an agent does not explicitly know the theorem of 
Fermat, she only implicitly knows it. Analogously, explicit obligations are not 
deductively closed, in contrast to implicit obligations. 

Several researchers make a distinction between imperatives and obligations, 
although many researchers hold them as essentially the same. Explicit obligation 
can be used to formalize imperatives, and implicit obligations can be used to 
formalize the ‘usual’ type of obligations. The idea behind labeled obligations is 
to represent the explicit obligation, of which the implicit obligation is derived, 
in the label. The label is the reason for the obligation. If we make the distinction 
between imperatives and obligations, then the label L of the obligation 0{a\/3)L 
represents the imperatives from which the obligation is derived. This explains 
our reading of the label obligation 0{a\f3)L- ‘a ought to be the case if j3 is the 
case, because of the imperatives L.’ 

We can use labeled deontic logic to solve the contrary-to-duty paradoxes, 
because we use the label to check that a derived obligation is not a contrary- 
to-duty obligation of its premises. Remember that we can test for CTD with 
a consistency check, see Figure 1. The label of an obligation represents the 
consequents of the premises from which the obligation is derived. In labeled 
deontic logic we use a consistency check of the label of the obligation with 
its antecedent. If the label and the antecedent are consistent, then the derived 
obligation is not a contrary-to-duty of its premises. 

2.2 Labeled Obligations 

In this section we introduce a deontic version of a labeled deductive system as 
it was introduced by Gabbay in [Gab91]. The language of dyadic deontic logic 
is enriched by allowing labels in the dyadic obligations. Roughly speaking, the 
label L is a record of the consequents of all the premises that are used in the 
derivation of 0{a\P). 
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Definition 2. (Language of Ldl) The language of labeled deontic logic is a 
propositional base logic C and labeled dyadic conditional obligations 0{a\f3)L, 
with a and j3 sentences of L, and L a set of sentences of C. 

Each labeled obligation occurring as a premise has its own consequent in its 
label. This represents that the premises are explicit obligations, because it is 
derived ‘from itself.’ 

Definition 3. (Premises of Ldl) A labeled obligation which has its own con- 
sequent as its label is called a premise. 

We assume that the antecedent and the label of an obligation are always 
consistent. The label of an obligation derived by an inference rule is the union 
of the labels of the premises used in this inference rule. Below are some labeled 
versions of inference schemes. We write O L for a consistency check of a set of 
formulas. 



RSAy : 



0{a I {L U {/?i a /? 2 }) 



WCy 



0{a I /3i A /? 2 )l 

O(oi I (3)l 



RDD 



0(c 



0{ai V «2 I (3)l 
Li , 0 (/ 3 | 7 )i 2 , ^ (Li U L 2 U { 7 }) 



0(a A/3 I 7 )liuL2 



0{ai I , O(o2 I /3 )l2 ) ^ (^1 U .^2 U {/3}) 

RANDy : — 

0{ai A 02 I p)liuL2 

Informally, the premises used in the derivation tree are not violated by the 
antecedent of the derived obligation, or, alternatively, the derived obligation 
is not a contrary-to-duty obligation of these premises. We say that the labels 
formalize the assumptions on which an obligation is derived, and the consistency 
check O checks whether the assumptions are violated. The following example 
illustrates that the labeled deductive system gives the intuitive reading of the 
Apples-and-Pears example. 



Example 4- (Apples-and-Pears, continued) Assume a labeled deductive sys- 
tem that validates at least the inference patterns RSAy, RANDy and wCy. Con- 
sider the premise set of labeled obligations S = {0(a V p | T)avp, 0(^a | T)^a} 
as premise, where a can be read as ‘buying apples’ and p as ‘buying pears’. In 
Figure 3 below it is shown how the derivation in Figure 2 is blocked. 



The apples-and-pears example in labeled deontic logic showed an important 
property of dyadic deontic logics with a contextual interpretation of the an- 
tecedent, namely that the context is restricted to non-violations of premises. If 
the antecedent is a violation, i.e. if the derived obligation would be a contrary-to- 
duty obligation, then the derivation is blocked. Obviously, as a logic the labeled 
deductive system is quite limited, if only because it lacks a semantics. In the 
following section, we consider contextual deontic logic, which has an intuitive 
preference-based semantics. 
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0(a Vp|T){avp} 0("'a|T){^a} 



0{~'d A p|T){aVp,-ia} 
0(-^a Ap|a){avp,^a} 



AND 



(sa/rsa) 



^(p|^){aVp,- 



wc 



0(a V p|T){avp} 0(^o|T){^a} 



0 {-^a A p\T)^avp,^a} 



AND 



{aVp,- 



WC 



0{p\a)^, 



(sa/rsa) 



Vp,-'a} 



Fig. 3. The apples-and-pears example 



3 Contextual Obligations 

Contextual obligations are formalized in Boutilier’s modal preference^ logic 
CT40, a bimodal propositional logic of inaccessible worlds. For the details and 
completeness proof of this logic see [Bou94a]. In the logic we abstract from ac- 
tions, time and individuals. 

Definition 5. (CT40) The logic CT4-0 is a propositional bimodal system with 
the two normal modal connectives □ and □ . Dual ‘possibility’ connectives O and 
O are defined as usual and two additional modal connectives □ and O are defined 
as follows. 



<>a =de/ □ a DoA □ a 

Oa=jef^0^a Oa=j^fOaVOa 

CTfO is axiomatized by the following axioms and inference rules. 

K □ (a ^ /?) — > (Da — > □/?) Nes From a infer □ a 

K'n{a^P)-^ (Ba^B/?) MP From a ^ P and a infer P 

T a 

4 Oa 

H 0(DaA up) _>B(aV/3) 

Kripke models M = {W,<,V) for CTfO consist of W , a set of worlds, <, a 
binary transitive and reflexive accessibility relation, and V , a valuation of the 
propositional atoms in the worlds. The partial pre-ordering < expresses prefer- 
ences: wi < W 2 ijj w I is as preferable as w^. The modal connective □ refers to 
accessible worlds and the modal connective □ to inaccessible worlds. 

M,w\= Ua iff \/w' e IF if w' <w, then M,w' \= a 

® The use of preferences follows from the fact that an obligation Oa is interpreted 
as some kind of choice between a and -la. This idea of deontic choice results in 
utilitarian (preference-based) semantics [Jen74]. It should be noted that preference- 
based semantics are closely related to semantics based on choice functions and other 
classical semantics [Lew74]. 
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M,w \=Oa iff Vw' GW if w' then M,w' \= a 

Contextual obligations are defined in CT40 as follows. In this paper, we do 
not discuss the properties of >« but we focus on the properties of the contextual 
obligations.^ 

Definition 6. (Cdl) The logic Cdl is the logic CT4O extended with the fol- 
lowing definitions of contextual obligations. The contextual obligation ‘a should 
be the case if (3 is the case unless 7 is the case’, written as 0 {a\fi\fi), is defined 
as a strong preference of a A /3 A ^7 over ~^a A fi. 

Ol >s «2 =def n (oi ^ □^02) 

0(a|/3\7) {a A P A^j) >s i^a A P) 

= □ ((a A P A ^7) — > □(/? — > a)) 

0°(a|/3\7) =de/ {aAP A ->7) >« (^a A P)A O (a A /3 A ->7) 

0 '”’{a\P\fi) =de/ {a A P A ->7) >« {^a A P)A 0 {a A P A “>7)A O (^a A P) 

From the definitions follows immediately the following satisfiability condi- 
tions for the modal connectives □: M, w a iff Vw' G W M, w' \= a and O; 
M,w ^ O a iff 3 w' G W M,w' \= a. As & consequence, the truth value of a 
contextual obligation does not depend on the world in which the obligation is 
evaluated. For a model M = {W,<,V) we have M ^ 0(a|/3\7) (i.e. for all 
worlds w G IF we have M,w ^ 0(a|/3\7)) iff there is a world w G W such that 
M, w \= 0(a|/3\7). 

The following proposition shows the truth conditions of contextual obliga- 
tions. 

Proposition 7. (Contextual Obligation) LetM = {W,<,V) be a CT4O 
model and let | a | be the set of worlds that satisfy a. For a world w G W, 
we have M, w |= 0(a|/3\7) iff for all w\ G\a A P A ^7] and all W2 G|^a A P\ we 
have W2 ^wi- 

Proof Follows directly from the definition of>s- 

The following proposition shows several properties of contextual obligations. 

Proposition 8. (Theorems of Cdl) The logic CT4O validates the following 
theorems. 

^ The preference relation >a is quite weak. For example, it is not anti-symmetric (we 
cannot derive -'(02 >a Qi) from ai >a ct 2 and it is not transitive (we cannot derive 
Qi >a 03 from ai >a ct 2 and Q 2 >a ctf). The lack of these properties is the result of 
the fact that we do not have connected orderings. Moreover, this a-connectedness is 
crucial for our preference-based deontic logics, see [TvdT96,vdTT97b]. 
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SA; 0(a|/3i\7) ^ 0(a|/3i A /?2\7) 

WC; 0(ai A a2|/3\7) — > 0(ai|/3\7 V ^ 0 : 2 ) 

WT; 0 (a|/ 3 \ 7 i) ^ 0 (a|/ 3 \ 7 i V 72 ) 

AND; (0(ai|/3\7) A 0(a2|A7)) ^ 0{ai A a2|/3\7) 

RSA; ( 0 °(a|/ 3 i\ 7 )A O (a A /3i A /?2 A ^ 7 )) ^ 0°(a|/3i A /? 2 \ 7 ) 

RAND. (o“ (ai|/3\7) A 0"^(a2|/3\7)A O (ai A a 2 A /3 A -' 7 )) — > 0"^(ai A a2|/3\7) 

Proof The theorems are proven in the preferential semantics. Consider WC. 
Assume M |= 0(aiAQ;2| Aa)- =|oiAof2A/3A^7| and W 2 = A(oiAa2)A/3|, 

and W 2 ^ wi for w\ G W\ and W 2 G W 2 . Moreover, let W[ =|q;iA/ 3 A^( 7 V^q; 2 )| 
and W 2 =\^a\ A/3|. We have W 2 ^ wi for w\ G W( and W 2 G W'^, because 
W\ = W[ and W 2 Q W 2 . Thus, M \= 0(ai|A7 V ^ 02 )- Verification of the other 
theorems is left to the reader.^ 

To illustrate the properties of Cdl, we compare it with Bengt Hansson’s mini- 
mizing dyadic deontic logic. First we recall some well-known definitions and prop- 
erties of this logic. In Bengt Hansson’s classical preference semantics [Han71], as 
studied by Lewis [Lew74], a dyadic obligation, which we denote by 0//l (a |A> 
is true in a model iff ‘the minimal (or preferred) (3 worlds satisfy a\ A weaker 
version of this definition, which allows for moral dilemmas, is that 0'fij^{a\(3) 
is true in a model iff there is an equivalence class of minimal (or preferred) (3 
worlds that satisfy a. 

Definition 9. (Minimizing Obligation) Let M = {W,<,V) he a Kripke 
model and |a| he the set of all worlds of W that satisfy a. The weak Hansson- 
Lewis obligation ‘a should he the case if f3 is the case’, written as 0'fij^{a\l3), is 
defined as follows. 

A —ief ^ (/^ Cl)) 

The model M satisfies the weak Hansson-Lewis obligation ‘a should be the 
case if (3 is the case’, written as M \= 0’fii^{a\fi), iff there is a world wi e|a A /3\ 
such that for all W 2 G\^aAfi\ we have W 2 ^ wi. The following proposition shows 
that the expression corresponds to a weak Hansson-Lewis minimizing 

obligation. For simplicity, we assume that there are no infinite descending chains. 

Proposition 10. Let M = {W, <,V) he a CT 4 O model, such that there are no 
infinite descending chains. As usual, we write w\ < W 2 for w\ < W 2 and not 
W 2 < w\, and w\ ~ W 2 for w\ < W 2 and W 2 < w\. A world w is a minimal (3- 
world, written as M, w A< iff ni \= (3 and for all w' < w holds M, w' A P- 
A set of worlds is an equivalence class of minimal (3-worlds, written as Ep, iff 
there is a w such that M, w A< P and Ep = {w' \ M, w' \= (3 and w ~ w'}. We 
have M A 0)fj^{a\(3) iff there is an Ep such that Ep C|a|. 

® This proposition also shows an important advantage of the axiomatisation of the 
deontic logic in a underlying preference logic: the properties of our dyadic obligations 
can simply be proven by proving (un)derivability in CT40. 
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Proof 4= Follows directly from the definitions. Assume there is a w such that 
M,w j3 and Ep = {w' \ M,w' ^ f3 and w ~ w'} and Ep C|a|. For all 
W 2 G|^aA P\ we have W 2 ^w. 

Assume that there is a world w\ G|a A /3| such that for all W 2 G\^a A P\ 
we have W 2 ^ wi. Let w be a minimal (3-world such that M,w (3 and 
w < w\ (that exists because there are no infinite descending chains), and let 
Efs = {w' I M, w' \= (3 and w ~ w'}. 

Now we are ready to compare contextual deontic logic with Bengt Hansson’s 
dyadic deontic logic. The following proposition shows that under a certain con- 
dition, the contextual obligation 0 {a\P\j) is true in a model if and only if a 
set of the weak Hansson-Lewis minimizing obligations 0()j^{a\f3') is true in the 
model. 

Proposition 11. Let M = {W, <, V) be a CT(0 model, that has no worlds that 
satisfy the same propositional sentences. Hence, we identify the set of worlds with 
a set of propositional interpretations, such that there are no duplicate worlds. We 
have M ^ 0 “(a|/ 3 \ 7 ) iff there are a A (3 A ^7 and A (3 worlds, and for all 
propositional (3' such that M [=□ (/3' ^ (3) and M (/?' ^ 7 ), we have 

MhO^Jal/3'). 

Proof Follows directly from the semantic definitions. 4= Every world is char- 
acterized by a unique propositional sentence. Let w denote the sentence that 
uniquely characterizes world w. Proof by contraposition. Lf M ^ 0 “(a|/ 3 \ 7 ), 
then there are w\, W 2 such that M, w\ \= a A (3 A ^7 and M, W 2 |= ~^a A (3 and 
W 2 < w\. Choose j3' = wTV W 2 . The world W 2 is an element of the preferred (3' 
worlds, because there are no duplicate worlds. (Lf duplicate worlds are allowed, 
then there could be a f3' world W 3 which is a duplicate ofw\, and which is strictly 
preferred to w\ and W 2 .) We have M,W 2 ^ a and therefore M ^ 0(fj^{a\(3'), 

The following example illustrates that contextual deontic logic solves the 
contrary-to-duty paradoxes. 



sub-ideal situations 




Fig. 4. Semantic solution in contextual deontic logic 
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Example 12. (Apples-and-Pears, continued) Consider the premise set of 
contextual obligations S = {0'^(a V p|T\_L), 0°(^a|T\_L)}. The crucial obser- 
vation is that we do not have 0 °'^(p|a\ 7 ) for any 7 , and a typical countermodel 
is the model in Figure 4. This figure should be read as follows. Each circle rep- 
resents an equivalence class of worlds, that satisfy the propositions written in 
the circle. The arrows represent strict preferences for all worlds in the circle. We 
have S ^ 0'^(p|T\a), as is shown in Figure 5, which expresses that pears should 
be bought, unless apples are bought. From the contextual obligation 0°(p|T\a) 
we cannot derive 0 (p|a\a) due to the unless clause. 



0"(a Vp|T\T) 0"(^a|T\T) 



0"(^a A p|T\T) 

0"(p|T\a) 

0’'{p\a\a) 



AND 



WC 



■ NO (rSA) 



Fig. 5. Proof-theoretic solution in contextual deontic logic 



It is easily verified that the contextual obligations also solve the other 
contrary-to-duty paradoxes in Example 1. 



4 Conclusions 

Recently, several researchers have noticed a remarkable resemblance between 
logics of qualitative decision theory, logics of desires and deontic logic, see for 
example [Bou94b,Lan96]. In future research, we will investigate whether contex- 
tual deontic logic proposed here can be applied to model qualitative decision 
theory, and which extensions are needed (see [TvdT96] for possible extensions). 

In the introduction, we already observed that we can also define contextual 
defaults ‘a is usually the case if (3 is the case unless 7 is the case,’ written as 
(3 : The main distinction between Cdl and Reiter’s default logic is that 

contextual obligations are not used as inference rules. In Cdl, we derive con- 
textual obligations from contextual obligations, which can be compared to the 
derivation of defaults from defaults. A set of defaults A derives a default <5 iff 
the set of extensions of {A, F) is the same as the set of extensions of (Z\U {<5}, F) 
for every set of facts F. In Reiter’s default logic, defaults are used to generate 
extensions. A similarity between Cdl and default logic is that contextual obliga- 
tions as well as defaults express preferences. Reiter’s defaults express preferences 
on assumptions. We can view the default as expressing the preference that 
models which make a A/3 true are more preferred than models that make A/3 
true, and this preference is cancelled for models that make 7 true. 
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Contextual obligations give rise to a kind of defeasibility, in the sense that the 
obligations lack unrestricted strengthening of the antecedent (the typical prop- 
erty of defeasible conditionals [Alc93]). A non-monotonic (defeasible) aspect is 
necessary for a satisfactory analysis of the contrary-to-duty paradoxes. However, 
it is important to notice that this defeasibility related to contextual reasoning is 
in fundamentally different from the defeasibility related to specificity or prima 
facie obligations, see [vdTT95,vdTT97a]. An important inference pattern in our 
analysis of the contrary-to-duty paradoxes is weakening of the consequent. Weak- 
ening of the consequent plays an important role in default logic too, as shown 
by the normally- presumably logic of Veltman [Vel96] . The normally defaults do 
not have weakening of the consequent, whereas the presumably defaults do. 
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